[Bug] Shadow-TLS实现未支持h2升级导致可能被探测

[bash99]

Describe the bug【描述 bug】 用www.dell.com（或cisco/微软）做伪装，用curl访问时，第一步tls通过后，会自动升级h2，之后会出现连接断开

To Reproduce【如何复现该bug】

curl -vik --resolve www.dell.com:4433:127.0.0.1 https://www.dell.com:4433

Expected behavior【预期的行为】

得到正常curl直接访问的响应（用最新的Shadow-TLS 0.2.8版本工作正常，也是此响应）

<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>

You don't have permission to access "http&#58;&#47;&#47;www&#46;dell&#46;com&#47;" on this server.<P>
Reference&#32;&#35;18&#46;240f2417&#46;1675224486&#46;ade5606
</BODY>
</HTML>

实际响应

> GET / HTTP/2
> Host: www.dell.com:4433
> user-agent: curl/7.81.0
> accept: */*
> 
* OpenSSL SSL_read: 连接被对方重设, errno 104
* Failed receiving HTTP2 data
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* OpenSSL SSL_write: 断开的管道, errno 32
* Failed sending HTTP2 data
* Connection #0 to host www.dell.com left intact
curl: (56) OpenSSL SSL_read: 连接被对方重设, errno 104

Config file 【配置文件，客户端服务端配置都提供】 把 examples/shadowTls.server.toml 里面的cloud.tecent.com全部换成 www.dell.com即可

perl -pi -e "s/cloud.tecent.com/www.dell.com/g" examples/shadowTls.server.toml 

作为对比的shadow-tls 启动命令

./shadow-tls-x86_64-unknown-linux-musl server --listen 127.0.0.1:4433 --server 127.0.0.1:8443 --tls www.dell.com:443 --password xxxfffffbbb

Debug Log 【Debug日志, 客户端 和 服务端 的 日志 都提供】

curl的完整输出

$ curl -vik --resolve www.dell.com:4433:127.0.0.1 https://www.dell.com:4433
* Added www.dell.com:4433:127.0.0.1 to DNS cache
* Hostname www.dell.com was found in DNS cache
*   Trying 127.0.0.1:4433...
* Connected to www.dell.com (127.0.0.1) port 4433 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=Texas; L=Round Rock; O=Dell; CN=*.dell.com
*  start date: Oct  8 00:56:57 2022 GMT
*  expire date: Nov  2 00:56:57 2023 GMT
*  issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1K
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x5616bc7c5960)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: www.dell.com:4433
> user-agent: curl/7.81.0
> accept: */*
> 
* OpenSSL SSL_read: 连接被对方重设, errno 104
* Failed receiving HTTP2 data
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* OpenSSL SSL_write: 断开的管道, errno 32
* Failed sending HTTP2 data
* Connection #0 to host www.dell.com left intact
curl: (56) OpenSSL SSL_read: 连接被对方重设, errno 104

Rust版本shadow-tls时的完整输出

* Added www.dell.com:4433:127.0.0.1 to DNS cache
* Hostname www.dell.com was found in DNS cache
*   Trying 127.0.0.1:4433...
* Connected to www.dell.com (127.0.0.1) port 4433 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=Texas; L=Round Rock; O=Dell; CN=*.dell.com
*  start date: Oct  8 00:56:57 2022 GMT
*  expire date: Nov  2 00:56:57 2023 GMT
*  issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1K
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56347f5102c0)
> GET / HTTP/2
> Host: www.dell.com:4433
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 403 
HTTP/2 403 
< server: AkamaiGHost
server: AkamaiGHost
< mime-version: 1.0
mime-version: 1.0
< content-type: text/html
content-type: text/html
< content-length: 262
content-length: 262
< expires: Wed, 01 Feb 2023 04:20:44 GMT
expires: Wed, 01 Feb 2023 04:20:44 GMT
< date: Wed, 01 Feb 2023 04:20:44 GMT
date: Wed, 01 Feb 2023 04:20:44 GMT
< set-cookie: akGD=%7B%22country%22%3A%22US%22%2C%22region%22%3A%22CA%22%7D; expires=Mon, 31-Dec-2038 23:59:59 GMT; path=/; domain=.dell.com; secure
set-cookie: akGD=%7B%22country%22%3A%22US%22%2C%22region%22%3A%22CA%22%7D; expires=Mon, 31-Dec-2038 23:59:59 GMT; path=/; domain=.dell.com; secure
< x-akamai-erpolicy: Responsive_redirects
x-akamai-erpolicy: Responsive_redirects
< x-akamai-erruleid: 
x-akamai-erruleid: 
< set-cookie: akavpau_maintenance_vp=1675225544~id=2d2cacbba760f22ed731cdf180729a04; Path=/; HttpOnly; Secure; SameSite=None
set-cookie: akavpau_maintenance_vp=1675225544~id=2d2cacbba760f22ed731cdf180729a04; Path=/; HttpOnly; Secure; SameSite=None
< server-timing: rtt;desc="RTT = Excellent", rtt-value;desc="RTT Duration";dur=2
server-timing: rtt;desc="RTT = Excellent", rtt-value;desc="RTT Duration";dur=2
< x-akamai-rtt-value: 2
x-akamai-rtt-value: 2
< x-akamai-rtt: Excellent
x-akamai-rtt: Excellent

< 
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>

You don't have permission to access "http&#58;&#47;&#47;www&#46;dell&#46;com&#47;" on this server.<P>
Reference&#32;&#35;18&#46;36f00f17&#46;1675225244&#46;22ca8929
</BODY>
</HTML>
* Connection #0 to host www.dell.com left intact

[e1732a364fed]

专业！

[e1732a364fed]

最新代码解决了该问题

[SakuraSakuraSakuraChan]

(非催更)ShadowTLS已经出了V3，并且还出现了新的项目 https://github.com/3andne/restls 可以看看

[e1732a364fed]

(非催更)ShadowTLS已经出了V3，并且还出现了新的项目 https://github.com/3andne/restls 可以看看

太强啦

[bash99]

(非催更)ShadowTLS已经出了V3，并且还出现了新的项目 https://github.com/3andne/restls 可以看看

这个厉害，我之前看到了CoiaPrant233关于墙作为中间人攻击shadowtls的文章，没想到马上就出了解决方案。

不过@e1732a364fed shadowtls方案的握手延时是非常长的，我实测下来只有verysimple的vmess smux才能做到很好的使用体验，其它客户端/服务器 的不知道有没有类似grpc层的方案，总之没vs这么方便。

vs在合适时候完美支持restls模式就行了，预计GFW要搞定shadowtls协议还得半年到一年。