Optionally verifying the ClientHello sent on wire

refraction-networking / utls

Fork of the Go standard TLS library, providing low-level access to the ClientHello for mimicry purposes.

BSD 3-Clause "New" or "Revised" License

1.57k stars 231 forks source link

Optionally verifying the ClientHello sent on wire #126

Open gaukas opened 1 year ago

gaukas commented 1 year ago

Implement an optional feature which, when enabled, will:

Capture the bytes of ClientHello sent on wire
Compare it with the desired ClientHelloMessage
Throw error and tear down connection if didn't match

This may help us in preventing unintended behaviors of malfunctioning extensions in uTLS.

Original Post: https://github.com/net4people/bbs/issues/139#issuecomment-1281760299 by @klzgrad

klzgrad commented 1 year ago

This is meant to prevent accidental leakage of unmodified Go fingerprints as reported in https://github.com/net4people/bbs/issues/139. The check must be as close to the wire as possible and can check for known wrong fingerprints e.g. default Go fingerprints.

But the action should be determined after reproducing the original bug. If the bug turns out to be caused by incorrect configuration or bugs within uTLS, the check can catch it. If the problematic code path is caused by external factors that make uTLS entirely unused then I don't think this would help.