#25804: Domain fronting to App Engine stopped working -----------------------------------+------------------------ Reporter: dcf | Owner: (none) Type: defect | Status: new Priority: Medium | Milestone: Component: Obfuscation/Snowflake | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -----------------------------------+------------------------
Comment (by dcf): Replying to [comment:2 cypherpunks]: > > <p>This HTTP request has a Host header that is not covered \ > > by the TLS certificate used. Due to an infrastructure change, \ > > this request cannot be processed.</p></body></html> > > No domain fronting to App Engine but works without SNI I confirm that this is the case. Resolve www.google.com to an IP address, access the server via its IP address (need to override the certificate check) and pass a Host header: {{{ $ dig +short www.google.com 172.217.11.164 $ wget --content-on-error --save-header --no-check-certificate -q -O- https://172.217.11.164/ip --header 'Host: snowflake-reg.appspot.com' HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 X-Cloud-Trace-Context: b0805cfcb7d0d60a3f5352c65879afaa Date: Sun, 15 Apr 2018 22:18:54 GMT Server: Google Frontend Content-Length: 13 Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431; quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35" X.X.X.X }}} Related meek ticket (not implemented): * #12208: Make it possible to use an IP address as a front If someone has a ticket for SNI-less Snowflake rendezvous, it would be very welcome. The relevant code is here: https://gitweb.torproject.org/pluggable- transports/snowflake.git/tree/client/rendezvous.go?id=c61336c897b5d21cc94a21241e98b33df5dcbf78#n61 Here is a cheesy proof of concept. It's not suitable because it disable certificate verification (`InsecureSkipVerify`). What's needed is another parameter to verify the certificate ''as if'' we had accessed www.google.com (or other specific domain). {{{#!diff diff --git a/client/rendezvous.go b/client/rendezvous.go index cab7f5a..c74e041 100644 --- a/client/rendezvous.go +++ b/client/rendezvous.go @@ -14,9 +14,11 @@ package main import ( "bufio" "bytes" + "crypto/tls" "errors" "io/ioutil" "log" + "net" "net/http" "net/url" "os" @@ -46,6 +48,10 @@ type BrokerChannel struct { func CreateBrokerTransport() http.RoundTripper { transport := http.DefaultTransport.(*http.Transport) transport.Proxy = nil + // haxxx + transport.TLSClientConfig = &tls.Config{ + InsecureSkipVerify: true, + } return transport } @@ -61,9 +67,17 @@ func NewBrokerChannel(broker string, front string, transport http.RoundTripper) bc := new(BrokerChannel) bc.url = targetURL if "" != front { // Optional front domain. - log.Println("Domain fronting using:", front) + var addr net.Addr + addr, err = net.ResolveIPAddr("ip", front) + if nil != err { + addr, err = net.ResolveTCPAddr("tcp", front) + if nil != err { + return nil + } + } + log.Println("Domain fronting using:", addr) bc.Host = bc.url.Host - bc.url.Host = front + bc.url.Host = addr.String() } bc.transport = transport }}} -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25804#comment:6> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs