Using the following ClientHelloID will produce tls: CurvePreferences includes unsuppor

test link is <a href="https://01-tx.audience.gcc.teams.microsoft.com:11024/" rel="nofo

Below is my test code. <div class="highlight highlight-source-go notranslate posit

Can you provide a minimal reproducible example </blo

<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="22

Note: you will still need to manually advertise HTTP/1.1 after <a class="issue-link js

Secured Renegotiation is not supported about utls HOT 10 CLOSED

bufsnake commented on August 11, 2024

Secured Renegotiation is not supported

from utls.

Comments (10)

bufsnake commented on August 11, 2024

test link is https://01-tx.audience.gcc.teams.microsoft.com:11024/.

from utls.

gaukas commented on August 11, 2024

Can you provide a minimal reproducible example along with optional pcap?

from utls.

gaukas commented on August 11, 2024

Apparently these two errors have something to do with how you set things up.

By simply doing the following

	conn, err := net.Dial("tcp", "01-tx.audience.gcc.teams.microsoft.com:11024")
	if err != nil {
		panic(err)
	}

	tlsConn := tls.UClient(conn, &tls.Config{ServerName: "01-tx.audience.gcc.teams.microsoft.com"}, tls.HelloChrome_120)
	if err := tlsConn.Handshake(); err != nil {
		panic(err)
	}

Handshake could complete without any problem for HelloChrome_120 and HelloFirefox_120, and I am too lazy to test the rest of them.

from utls.

bufsnake commented on August 11, 2024

Below is my test code.

package main

import (
	"bufio"
	"fmt"
	tls "github.com/refraction-networking/utls"
	"golang.org/x/net/http2"
	"io"
	"log"
	"math/rand"
	"net"
	"net/http"
	"strings"
	"time"
)

func main() {
	cli := http.Client{
		Transport: NewUTransport(30),
	}
	req, err := http.NewRequest(http.MethodGet, "https://01-tx.audience.gcc.teams.microsoft.com:11024/", nil)
	//req, err = http.NewRequest(http.MethodGet, "https://google.com", nil)
	if err != nil {
		log.Fatalln(err)
	}
	resp, err := cli.Do(req)
	if err != nil {
		log.Fatalln(err)
	}
	defer resp.Body.Close()
	all, err := io.ReadAll(resp.Body)
	if err != nil {
		log.Fatalln(err)
	}
	fmt.Println("BodyLength", len(all))
	fmt.Println("StatusCode", resp.StatusCode)
	
}

// ref: https://sxyz.blog/bypass-cloudflare-shield/
type UTransport struct {
	timeout int
	tr      *http2.Transport
}

func NewUTransport(timeout int) *UTransport {
	return &UTransport{
		timeout: timeout,
		tr:      &http2.Transport{},
	}
}

func (u *UTransport) newSpec() (*tls.ClientHelloSpec, error) {
	ids := []tls.ClientHelloID{
		//tls.HelloFirefox_102,
		//tls.HelloFirefox_105,
		//tls.HelloFirefox_120,
		tls.HelloChrome_100,
		tls.HelloChrome_102,
		tls.HelloChrome_106_Shuffle,
		tls.HelloChrome_120,
		tls.HelloEdge_106,
		tls.HelloSafari_16_0,
	}
	spec, err := tls.UTLSIdToSpec(ids[rand.Intn(len(ids))])
	return &spec, err
}

func (u *UTransport) RoundTrip(req *http.Request) (*http.Response, error) {
	if strings.ToLower(req.URL.Scheme) != "https" {
		return nil, fmt.Errorf("unsupported scheme: %s", req.URL.Scheme)
	}
	res_ := &http.Response{}
	err_ := make(chan error)
	fin_ := make(chan interface{})
	go func(r *http.Request) {
		var err error
		res_, err = u.connect(r)
		if err != nil {
			err_ <- err
			return
		}
		fin_ <- nil
	}(req)
	select {
	case <-time.After(time.Duration(u.timeout) * time.Second):
		return nil, fmt.Errorf("%s timeout", req.URL)
	case err := <-err_:
		return nil, err
	case <-fin_:
		return res_, nil
	}
}

func (u *UTransport) connect(req *http.Request) (*http.Response, error) {
	port := req.URL.Port()
	if port == "" {
		port = "443"
	}
	conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%s", strings.Split(req.URL.Host, ":")[0], port), time.Duration(u.timeout)*time.Second)
	if err != nil {
		return nil, fmt.Errorf("net.DialTimeout error: %+v", err)
	}
	uConn := tls.UClient(conn, &tls.Config{
		ServerName: "01-tx.audience.gcc.teams.microsoft.com",
	}, tls.HelloCustom)
	spec, err := u.newSpec()
	if err != nil {
		return nil, err
	}
	if err = uConn.ApplyPreset(spec); err != nil {
		return nil, fmt.Errorf("uConn.ApplyPreset() error: %+v", err)
	}
	if err = uConn.Handshake(); err != nil {
		return nil, fmt.Errorf("uConn.Handshake() error: %+v", err)
	}
	alpn := uConn.ConnectionState().NegotiatedProtocol
	switch alpn {
	case "h2":
		req.Proto = "HTTP/2.0"
		req.ProtoMajor = 2
		req.ProtoMinor = 0
		if c, err := u.tr.NewClientConn(uConn); err == nil {
			return c.RoundTrip(req)
		} else {
			return nil, fmt.Errorf("http2.Transport.NewClientConn() error: %+v", err)
		}
	case "http/1.1", "":
		req.Proto = "HTTP/1.1"
		req.ProtoMajor = 1
		req.ProtoMinor = 1
		if err = req.Write(uConn); err == nil {
			return http.ReadResponse(bufio.NewReader(uConn), req)
		} else {
			return nil, fmt.Errorf("http.Request.Write() error: %+v", err)
		}
	default:
		return nil, fmt.Errorf("unsupported ALPN: %v", alpn)
	}
}

from utls.

gaukas commented on August 11, 2024

Can you provide a minimal reproducible example

Please try to reduce the unnecessary/irrelevant code next time.

From your code I think the critical part is

func newSpec() (*tls.ClientHelloSpec, error) {
	ids := []tls.ClientHelloID{
		//tls.HelloFirefox_102,
		//tls.HelloFirefox_105,
		//tls.HelloFirefox_120,
		tls.HelloChrome_100,
		tls.HelloChrome_102,
		tls.HelloChrome_106_Shuffle,
		tls.HelloChrome_120,
		tls.HelloEdge_106,
		tls.HelloSafari_16_0,
	}
	spec, err := tls.UTLSIdToSpec(ids[rand.Intn(len(ids))])
	return &spec, err
}

func main() {
	conn, err := net.DialTimeout("tcp", "01-tx.audience.gcc.teams.microsoft.com:11024", 10*time.Second)
	if err != nil {
		panic(err)
	}
	uConn := tls.UClient(conn, &tls.Config{
		ServerName: "01-tx.audience.gcc.teams.microsoft.com",
	}, tls.HelloCustom)
	spec, err := newSpec()
	if err != nil {
		panic(err)
	}
	if err = uConn.ApplyPreset(spec); err != nil {
		panic(err)
	}
	if err = uConn.Handshake(); err != nil {
		panic(err)
	}
}

However the code above does not give me any error so far.

Further investigation with pcap (that's why you REALLY should provide one) shows the problem is actually due to the server sending a Hello Request AFTER a TLS Handshake is done. Major web browsers at this moment will renegotiate over the same TCP connection by sending another ClientHello and this is not supported by uTLS at the moment. I'm not sure if this is supported by our upstream crypto/tls either.

from utls.

gaukas commented on August 11, 2024

As of why the error message differs, I have no idea. Perhaps due to different states of an internal variable due to different set of TLS Extensions are being advertised/selected. But anyways, the server essentially sent the same message, a encrypted Hello Request with 0x00, 0x00, 0x00, 0x00 as its plaintext payload.

from utls.

gaukas commented on August 11, 2024

~~For now unless our upstream supports it, this feature will not be implemented by our team. But if you want a PR is always welcomed. I will leave this issue open.~~

This is a confirmed bug.

from utls.

gaukas commented on August 11, 2024

An update to this: the example code no longer work due to now the server requires the client to be advertising HTTP/1.1 instead of HTTP/2.

And I have been looking into this problem. It seems uTLS does not really support renegotiation and caused this problem. I am currently working on it.

from utls.

gaukas commented on August 11, 2024

#291 is related.

from utls.

gaukas commented on August 11, 2024

Note: you will still need to manually advertise HTTP/1.1 after #292 fixes the underlying bug.

from utls.

Secured Renegotiation is not supported about utls HOT 10 CLOSED

Comments (10)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent