On Wed, May 11, 2016 at 07:40:17PM -0700, David Fifield wrote: > On Sun, May 08, 2016 at 01:37:47PM -0700, David Fifield wrote: > > With the meek blocking, it might be that they are doing some kind of > > timing analysis, or it might be that we screwed up something simple like > > the TLS signature. Could you try it in these configurations? > > Tor Browser 5.5.5 > > https://blog.torproject.org/blog/tor-browser-555-released > > Tor Browser 6.0a5 > > https://blog.torproject.org/blog/tor-browser-60a5-released > > meek_lite in obfs4proxy > > TB 6.0a5 uses a different version of Firefox than 5.5.5, so the TLS > > signature might be different (I haven't checked yet). To run meek_lite, > > use a torrc file like this one: > > UseBridges 1 > > ClientTransportPlugin meek_lite exec ./obfs4proxy > > Bridge meek_lite 0.0.3.0:5 url=https://meek-reflect.appspot.com/ > > front=www.google.com > > Justin helped me by running some tests and we think we know how this > Cyberoam device is blocking meek connections. It blocks TLS connections > that have the Firefox 38's TLS signature and that have an SNI field that > is one of our front domains: www.google.com, a0.awsstatic.com, > ajax.aspnetcdn.com.
If you're curious about what changed in the TLS fingerprint between Firefox 38 and 45, I did a dissection of the first client hello. The only difference is in the Application Layer Protocol Negotiation extension (RFC 7301). The new fingerprint omits support for draft versions of HTTP/2 (h2-14, h2-15, h2-16). https://trac.torproject.org/projects/tor/wiki/doc/meek/SampleClientHellos#Firefox38.8.0esronDebianstretchsid2016-05-20 https://trac.torproject.org/projects/tor/wiki/doc/meek/SampleClientHellos#Firefox45.0.2esronDebianstretchsid2016-05-20 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) - Length: 205 + Length: 187 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) - Length: 201 + Length: 183 Version: TLS 1.2 (0x0303) Random - GMT Unix Time: Jul 7, 2073 20:16:39.000000000 PDT - Random Bytes: ffb333dea40c3d3d9b1fec5a4597a4775586382abfe0ee05... + GMT Unix Time: Feb 20, 2060 19:25:19.000000000 PST + Random Bytes: 54f218375ad711853b36f8becbd4b085f0e3f53bb48d4149... Session ID Length: 0 Cipher Suites Length: 22 Cipher Suites (11 suites) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) - Extensions Length: 138 + Extensions Length: 120 Extension: server_name Type: server_name (0x0000) Length: 23 Server Name Indication extension Server Name list length: 21 Server Name Type: host_name (0) Server Name length: 18 Server Name: ajax.aspnetcdn.com Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: elliptic_curves Type: elliptic_curves (0x000a) Length: 8 Elliptic Curves Length: 6 Elliptic curves (3 curves) Elliptic curve: secp256r1 (0x0017) Elliptic curve: secp384r1 (0x0018) Elliptic curve: secp521r1 (0x0019) Extension: ec_point_formats Type: ec_point_formats (0x000b) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) EC point format: uncompressed (0) Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Extension: next_protocol_negotiation Type: next_protocol_negotiation (0x3374) Length: 0 Extension: Application Layer Protocol Negotiation Type: Application Layer Protocol Negotiation (0x0010) - Length: 41 - ALPN Extension Length: 39 + Length: 23 + ALPN Extension Length: 21 ALPN Protocol - ALPN string length: 5 - ALPN Next Protocol: h2-16 - ALPN string length: 5 - ALPN Next Protocol: h2-15 - ALPN string length: 5 - ALPN Next Protocol: h2-14 ALPN string length: 2 ALPN Next Protocol: h2 ALPN string length: 8 ALPN Next Protocol: spdy/3.1 ALPN string length: 8 ALPN Next Protocol: http/1.1 Extension: status_request Type: status_request (0x0005) Length: 5 Certificate Status Type: OCSP (1) Responder ID list Length: 0 Request Extensions Length: 0 Extension: signature_algorithms Type: signature_algorithms (0x000d) Length: 22 Signature Hash Algorithms Length: 20 Signature Hash Algorithms (10 algorithms) Signature Hash Algorithm: 0x0401 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0501 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0601 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0201 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: RSA (1) Signature Hash Algorithm: 0x0403 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0503 Signature Hash Algorithm Hash: SHA384 (5) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0603 Signature Hash Algorithm Hash: SHA512 (6) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0203 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: ECDSA (3) Signature Hash Algorithm: 0x0402 Signature Hash Algorithm Hash: SHA256 (4) Signature Hash Algorithm Signature: DSA (2) Signature Hash Algorithm: 0x0202 Signature Hash Algorithm Hash: SHA1 (2) Signature Hash Algorithm Signature: DSA (2) -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
