Hi, I'm almost done implementing TLS fragmentation for GnuTLS as well (through the hacky way I described in previous email). Should I just add it to the existing MR (https://gitlab.com/openconnect/openconnect/-/merge_requests/567) or I have to create a new one?
Regards, Alireza On Mon, Sep 2, 2024 at 1:59 PM Alireza <m...@moorko.net> wrote: > > > Here's a recent and very timely Twitter thread that touches on using > > packet fragmentation at various layers to defeat censorship: > > https://twitter.com/endermanch/status/1829648801612906916 > > Thanks for the link. I could only find him talking about splitting > HTTP into multiple TCP segments which is basically outdated now as > (almost) no one uses plain HTTP. > > > As described in this thread, injecting extra fragmentation is AT BEST > > a stopgap solution, exploiting a lack of (or bugginess in) stateful > > session tracking, and nation-level censors WILL eventually prevent it > > from working. > > I partially agree with you. For a packet dissection/processing system > that should operate on a very high scale (e.g. nationwide), it is very > difficult to maintain state as it requires lots of resources. I'm not > saying it's not possible to do it but it makes their life harder as > they often have to reassemble packets in order to be able to parse > them. This process is inherently expensive because it involves > buffering packets and waiting for the rest. > That said, it's not a silver bullet; it's just one technique among > many. However, the advantage is that these techniques can be combined > to create a more effective solution. > > > > Sounds like you've already implemented it for OpenSSL? Does using this > > API actually allow you to successfully bypass the Divar-e-Bozorg and > > establish a TLS handshake with a TLS-based VPN server? 😅 > > > > And if so, can you share the code/diff? (Perhaps privately if you prefer.) > > I created a draft PR so you can see what I've done so far: > https://gitlab.com/openconnect/openconnect/-/merge_requests/567 > I haven't tested it personally yet, but I know this technique is > widely used by people who bypass the Divar-e-Bozorg (which translates > to "Great Wall") using V2Ray-based proxies and even their own custom > censorship circumvention tools, such as > https://github.com/bepass-org/bepass. > > > > If this technique does actually work for circumventing censorship, I > > think we could make a very good case for adding a similar capability > > to GnuTLS and I'd be happy to help with it :-) > > > The technique is proven to work: > * See section 7: https://dl.acm.org/doi/epdf/10.1145/3487552.3487858 > * This is an amazing blog post specifically about TLS fragmentation: > https://upb-syssec.github.io/blog/2023/record-fragmentation/ > > I'd love to help and add this capability to GnuTLS! > > > You might also be interested in > > https://gitlab.com/openconnect/openconnect/-/merge_requests/297, where > > I added the `--sni` option to aid in > > https://en.wikipedia.org/wiki/Domain_fronting (another anti-censorship > > technique). > > Yes I actually saw it and I remember the time it was released I was > happy because it made my life easier. Before that, I had to use the > `--resolve` cli argument to simulate this behavior. Thanks🙂 > > > On Mon, Sep 2, 2024 at 1:15 AM Daniel Lenski <dlen...@gmail.com> wrote: > > > > On Sun, Sep 1, 2024 at 4:10 PM Daniel Lenski <dlen...@gmail.com> wrote: > > > > > > On Sun, Sep 1, 2024 at 1:46 PM Moorko <m...@moorko.net> wrote: > > > > > > > > Thanks for your detailed response, Daniel. > > > > > > > > I now realize that I clearly missed the big picture here as I'm > > > > relatively new to this domain. > > > > > > No worries! Looks like you're tackling a tricky problem and asking the > > > right questions :-) > > > > > > > > I'm not sure what "flexible" means specifically. > > > > > > > > I'm implementing a TLS handshake fragmentation feature for OpenConnect > > > > so that it can better resist internet censorship in Iran (and > > > > potentially in other places as well). > > > > > > Ah. We have a tag for Iran-censorship-related issues, definitely > > > peruse these if you haven't already: > > > https://gitlab.com/openconnect/openconnect/-/issues/?label_name%5B%5D=Damet%20Garm > > > > You might also be interested in > > https://gitlab.com/openconnect/openconnect/-/merge_requests/297, where > > I added the `--sni` option to aid in > > https://en.wikipedia.org/wiki/Domain_fronting (another anti-censorship > > technique). > > > > That one also required some careful fine-tuning to handle the change > > in expectations of the server's TLS certificate when built with either > > OpenSSL or GnuTLS. _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
