search

xvzc / SpoofDPI

A simple and fast anti-censorship tool written in Go
Apache License 2.0
3.38k stars 246 forks source link

error reading client hello #197

Closed kommunist closed 3 weeks ago

kommunist commented 3 weeks ago

Version

spoof-dpi v0.10.11

Operating System

armbian

How are you running SpoofDPI?

spoof-dpi --addr=192.168.2.23 --port 8081 --debug

Description

error reading client hello from 192.168.2.1:56784: invalid TLS header. Type: c5, ProtoVersion: 118b, PayloadLen: 68f8

LiquidTheDangerous commented 3 weeks ago

@kommunist Expected a valid header from the client, received a strange one. Is there a stable way to reproduce this? It prevents tunneling? Can you attach complete logs?

kommunist commented 3 weeks ago

@LiquidTheDangerous , of course. Is this what do you want?

bananapipro:~:# sudo journalctl -u spoof-dpi.service --no-pager | grep 55bb099d-5ecab492-e4c98600-bcb293e2
Aug 25 15:02:47 bananapipro spoof-dpi[8250]: 2024-08-25T15:02:47Z DBG 55bb099d-5ecab492-e4c98600-bcb293e2 [HTTPS] new connection to the server 192.168.2.23:46308 -> 91.105.192.100
Aug 25 15:02:47 bananapipro spoof-dpi[8250]: 2024-08-25T15:02:47Z DBG 55bb099d-5ecab492-e4c98600-bcb293e2 [HTTPS] sent connection estabalished to 192.168.2.1:58642
Aug 25 15:02:47 bananapipro spoof-dpi[8250]: 2024-08-25T15:02:47Z DBG 55bb099d-5ecab492-e4c98600-bcb293e2 [HTTPS] error reading client hello from 192.168.2.1:58642: invalid TLS header. Type: 50, ProtoVersion: 4f53, PayloadLen: 5420
LiquidTheDangerous commented 3 weeks ago

@kommunist Can you do it from a client device? And attach full logs pls

curl --request GET --url https://www.google.com --proxy <spoof-dpi-host>:<port>

Attach logs after attempting to connect

LiquidTheDangerous commented 3 weeks ago

@kommunist Did a little magic. From previous attachment, Looks like the client is trying to do an HTTP request instead of a handshake. How are you using the proxy? Client settings?

invalid TLS header. Type: 50, ProtoVersion: 4f53, PayloadLen: 5420

>>> list(map(chr, [0x50, 0x4f, 0x53, 0x54, 0x20]))

>>> ['P', 'O', 'S', 'T', ' ']

For a proxy in HTTPS mode, the client must send a request to proxy to establish a tunnel to remote service, then must send client hello

The client must be aware that he is using a proxy

xvzc commented 3 weeks ago

@LiquidTheDangerous Maybe the client is trying to send a HTTP Request through the existing socket which has been created for HTTPS connection. Current version of spoof-dpi cannot handle that case.

LiquidTheDangerous commented 3 weeks ago

@xvzc Doubtful... Is there any evidence for this? I think there should be a separate pool of connections for http and https schemes for single domain

Maybe you've seen something like this implemented somewhere?

In any case, if a tunnel is created, any requests can go through it. But for some reason the client does not send a handshake

xvzc commented 3 weeks ago

i have no idea too. The client must have sent CONNECT method, however the first message wasn't a client hello but raw http request. sholud we then just bypass the packet when it is not a valid client hello?

LiquidTheDangerous commented 3 weeks ago

I think it's worth finding out the proxy settings on the client device

@kommunist

LiquidTheDangerous commented 3 weeks ago

@WSA1k what is that?

xvzc commented 3 weeks ago

It's a spam

LiquidTheDangerous commented 3 weeks ago

@xvzc I think we need to find a stable way to reproduce this first

kommunist commented 3 weeks ago

I use spoof as proxy for full trafic from separated network for TV. I build proxy from Keenetic router to singleboard bananapi.

I will generate and post logs today later

LiquidTheDangerous commented 3 weeks ago

@kommunist Is there a proxy setting on your TV? Or are you just redirecting all traffic through spoof dpi?

kommunist commented 3 weeks ago

No, i build proxy from router. I redirect all trafic from some network trough spoof dpi.

xvzc commented 3 weeks ago

You mean spoof-dpi is running on your router?

kommunist commented 3 weeks ago

No, i use bananapi on arm architecture in this network and proxy full trafic over this.

kommunist commented 3 weeks ago 
███████ ██████   ██████   ██████  ███████ ██████  ██████  ██ 
██      ██   ██ ██    ██ ██    ██ ██      ██   ██ ██   ██ ██ 
███████ ██████  ██    ██ ██    ██ █████   ██   ██ ██████  ██ 
     ██ ██      ██    ██ ██    ██ ██      ██   ██ ██      ██ 
███████ ██       ██████   ██████  ██      ██████  ██      ██ 

• ADDR    : 192.168.2.23
• PORT    : 8081
• DNS     : 8.8.8.8
• DEBUG   : true

Press 'CTRL + c' to quit

2024-08-26T08:06:29Z INF [PROXY] created a listener on port 8081
2024-08-26T08:07:34Z DBG [PROXY] request from 192.168.2.23:37104

CONNECT www.youtube.com:443 HTTP/1.1
Host: www.youtube.com:443
User-Agent: curl/8.5.0
Proxy-Connection: Keep-Alive

2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [DNS] resolving www.youtube.com using general resolver(8.8.8.8:53)
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [DNS] resolved 142.251.1.198 from www.youtube.com in 28 ms
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] new connection to the server 192.168.2.23:35726 -> www.youtube.com
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] sent connection estabalished to 192.168.2.23:37104
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] client sent hello 517 bytes
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] writing chunked client hello to www.youtube.com
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] window-size: 0
2024-08-26T08:07:34Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] using legacy fragmentation
2024-08-26T08:07:35Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] finished reading from 192.168.2.23:37104
2024-08-26T08:07:35Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] error reading from www.youtube.com: read tcp 192.168.2.23:35726->142.251.1.198:443: use of closed network connection
2024-08-26T08:07:35Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] closing proxy connection: 192.168.2.23:37104 -> www.youtube.com
2024-08-26T08:07:35Z DBG b96f5e0e-90bf75b1-91d82c95-dce08ac6 [HTTPS] closing proxy connection: www.youtube.com -> 192.168.2.23:37104
kommunist commented 3 weeks ago

This is full log. Thire isn`t problem with hello, but another problem with "closed network connection"

xvzc commented 3 weeks ago

closed connection error is a normal behavior

LiquidTheDangerous commented 3 weeks ago

@kommunist

According to this scheme. Client should be aware about proxy.

It seems that it won't be possible to simply forward all client packets through a proxy

image

kommunist commented 3 weeks ago

I resolve my problems, thank you. Problem was on DoH on my router, but i think that is problem with hello request.