Closed kommunist closed 3 weeks ago
@kommunist Expected a valid header from the client, received a strange one. Is there a stable way to reproduce this? It prevents tunneling? Can you attach complete logs?
@LiquidTheDangerous , of course. Is this what do you want?
bananapipro:~:# sudo journalctl -u spoof-dpi.service --no-pager | grep 55bb099d-5ecab492-e4c98600-bcb293e2
Aug 25 15:02:47 bananapipro spoof-dpi[8250]: 2024-08-25T15:02:47Z DBG 55bb099d-5ecab492-e4c98600-bcb293e2 [HTTPS] new connection to the server 192.168.2.23:46308 -> 91.105.192.100
Aug 25 15:02:47 bananapipro spoof-dpi[8250]: 2024-08-25T15:02:47Z DBG 55bb099d-5ecab492-e4c98600-bcb293e2 [HTTPS] sent connection estabalished to 192.168.2.1:58642
Aug 25 15:02:47 bananapipro spoof-dpi[8250]: 2024-08-25T15:02:47Z DBG 55bb099d-5ecab492-e4c98600-bcb293e2 [HTTPS] error reading client hello from 192.168.2.1:58642: invalid TLS header. Type: 50, ProtoVersion: 4f53, PayloadLen: 5420
@kommunist Can you do it from a client device? And attach full logs pls
curl --request GET --url https://www.google.com --proxy <spoof-dpi-host>:<port>
Attach logs after attempting to connect
@kommunist Did a little magic. From previous attachment, Looks like the client is trying to do an HTTP request instead of a handshake. How are you using the proxy? Client settings?
invalid TLS header. Type: 50, ProtoVersion: 4f53, PayloadLen: 5420
>>> list(map(chr, [0x50, 0x4f, 0x53, 0x54, 0x20]))
>>> ['P', 'O', 'S', 'T', ' ']
For a proxy in HTTPS mode, the client must send a request to proxy to establish a tunnel to remote service, then must send client hello
The client must be aware that he is using a proxy
@LiquidTheDangerous Maybe the client is trying to send a HTTP Request through the existing socket which has been created for HTTPS connection. Current version of spoof-dpi cannot handle that case.
@xvzc Doubtful... Is there any evidence for this? I think there should be a separate pool of connections for http and https schemes for single domain
Maybe you've seen something like this implemented somewhere?
In any case, if a tunnel is created, any requests can go through it. But for some reason the client does not send a handshake
i have no idea too. The client must have sent CONNECT method, however the first message wasn't a client hello but raw http request. sholud we then just bypass the packet when it is not a valid client hello?
I think it's worth finding out the proxy settings on the client device
@kommunist
@WSA1k what is that?
It's a spam
@xvzc I think we need to find a stable way to reproduce this first
I use spoof as proxy for full trafic from separated network for TV. I build proxy from Keenetic router to singleboard bananapi.
I will generate and post logs today later
@kommunist Is there a proxy setting on your TV? Or are you just redirecting all traffic through spoof dpi?
No, i build proxy from router. I redirect all trafic from some network trough spoof dpi.
You mean spoof-dpi is running on your router?
No, i use bananapi on arm architecture in this network and proxy full trafic over this.
███████ ██████ ██████ ██████ ███████ ██████ ██████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
███████ ██████ ██ ██ ██ ██ █████ ██ ██ ██████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
███████ ██ ██████ ██████ ██ ██████ ██ ██
• ADDR : 192.168.2.23
• PORT : 8081
• DNS : 8.8.8.8
• DEBUG : true
Press 'CTRL + c' to quit
2024-08-26T08:06:29Z INF [PROXY] created a listener on port 8081
2024-08-26T08:07:34Z DBG [PROXY] request from 192.168.2.23:37104
CONNECT www.youtube.com:443 HTTP/1.1
Host: www.youtube.com:443
User-Agent: curl/8.5.0
Proxy-Connection: Keep-Alive
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [DNS] resolving www.youtube.com using general resolver(8.8.8.8:53)
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [DNS] resolved 142.251.1.198 from www.youtube.com in 28 ms
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] new connection to the server 192.168.2.23:35726 -> www.youtube.com
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] sent connection estabalished to 192.168.2.23:37104
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] client sent hello 517 bytes
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] writing chunked client hello to www.youtube.com
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] window-size: 0
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] using legacy fragmentation
2024-08-26T08:07:35Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] finished reading from 192.168.2.23:37104
2024-08-26T08:07:35Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] error reading from www.youtube.com: read tcp 192.168.2.23:35726->142.251.1.198:443: use of closed network connection
2024-08-26T08:07:35Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] closing proxy connection: 192.168.2.23:37104 -> www.youtube.com
2024-08-26T08:07:35Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] closing proxy connection: www.youtube.com -> 192.168.2.23:37104
This is full log. Thire isn`t problem with hello, but another problem with "closed network connection"
closed connection error is a normal behavior
@kommunist
According to this scheme. Client should be aware about proxy.
It seems that it won't be possible to simply forward all client packets through a proxy
I resolve my problems, thank you. Problem was on DoH on my router, but i think that is problem with hello request.
Version
spoof-dpi v0.10.11
Operating System
armbian
How are you running SpoofDPI?
spoof-dpi --addr=192.168.2.23 --port 8081 --debug
Description
error reading client hello from 192.168.2.1:56784: invalid TLS header. Type: c5, ProtoVersion: 118b, PayloadLen: 68f8