-
Notifications
You must be signed in to change notification settings - Fork 237
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secured Renegotiation is not supported #284
Comments
test link is https://01-tx.audience.gcc.teams.microsoft.com:11024/. |
Can you provide a minimal reproducible example along with optional pcap? |
Apparently these two errors have something to do with how you set things up. By simply doing the following conn, err := net.Dial("tcp", "01-tx.audience.gcc.teams.microsoft.com:11024")
if err != nil {
panic(err)
}
tlsConn := tls.UClient(conn, &tls.Config{ServerName: "01-tx.audience.gcc.teams.microsoft.com"}, tls.HelloChrome_120)
if err := tlsConn.Handshake(); err != nil {
panic(err)
} Handshake could complete without any problem for |
Below is my test code. package main
import (
"bufio"
"fmt"
tls "github.com/refraction-networking/utls"
"golang.org/x/net/http2"
"io"
"log"
"math/rand"
"net"
"net/http"
"strings"
"time"
)
func main() {
cli := http.Client{
Transport: NewUTransport(30),
}
req, err := http.NewRequest(http.MethodGet, "https://01-tx.audience.gcc.teams.microsoft.com:11024/", nil)
//req, err = http.NewRequest(http.MethodGet, "https://google.com", nil)
if err != nil {
log.Fatalln(err)
}
resp, err := cli.Do(req)
if err != nil {
log.Fatalln(err)
}
defer resp.Body.Close()
all, err := io.ReadAll(resp.Body)
if err != nil {
log.Fatalln(err)
}
fmt.Println("BodyLength", len(all))
fmt.Println("StatusCode", resp.StatusCode)
}
// ref: https://sxyz.blog/bypass-cloudflare-shield/
type UTransport struct {
timeout int
tr *http2.Transport
}
func NewUTransport(timeout int) *UTransport {
return &UTransport{
timeout: timeout,
tr: &http2.Transport{},
}
}
func (u *UTransport) newSpec() (*tls.ClientHelloSpec, error) {
ids := []tls.ClientHelloID{
//tls.HelloFirefox_102,
//tls.HelloFirefox_105,
//tls.HelloFirefox_120,
tls.HelloChrome_100,
tls.HelloChrome_102,
tls.HelloChrome_106_Shuffle,
tls.HelloChrome_120,
tls.HelloEdge_106,
tls.HelloSafari_16_0,
}
spec, err := tls.UTLSIdToSpec(ids[rand.Intn(len(ids))])
return &spec, err
}
func (u *UTransport) RoundTrip(req *http.Request) (*http.Response, error) {
if strings.ToLower(req.URL.Scheme) != "https" {
return nil, fmt.Errorf("unsupported scheme: %s", req.URL.Scheme)
}
res_ := &http.Response{}
err_ := make(chan error)
fin_ := make(chan interface{})
go func(r *http.Request) {
var err error
res_, err = u.connect(r)
if err != nil {
err_ <- err
return
}
fin_ <- nil
}(req)
select {
case <-time.After(time.Duration(u.timeout) * time.Second):
return nil, fmt.Errorf("%s timeout", req.URL)
case err := <-err_:
return nil, err
case <-fin_:
return res_, nil
}
}
func (u *UTransport) connect(req *http.Request) (*http.Response, error) {
port := req.URL.Port()
if port == "" {
port = "443"
}
conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%s", strings.Split(req.URL.Host, ":")[0], port), time.Duration(u.timeout)*time.Second)
if err != nil {
return nil, fmt.Errorf("net.DialTimeout error: %+v", err)
}
uConn := tls.UClient(conn, &tls.Config{
ServerName: "01-tx.audience.gcc.teams.microsoft.com",
}, tls.HelloCustom)
spec, err := u.newSpec()
if err != nil {
return nil, err
}
if err = uConn.ApplyPreset(spec); err != nil {
return nil, fmt.Errorf("uConn.ApplyPreset() error: %+v", err)
}
if err = uConn.Handshake(); err != nil {
return nil, fmt.Errorf("uConn.Handshake() error: %+v", err)
}
alpn := uConn.ConnectionState().NegotiatedProtocol
switch alpn {
case "h2":
req.Proto = "HTTP/2.0"
req.ProtoMajor = 2
req.ProtoMinor = 0
if c, err := u.tr.NewClientConn(uConn); err == nil {
return c.RoundTrip(req)
} else {
return nil, fmt.Errorf("http2.Transport.NewClientConn() error: %+v", err)
}
case "http/1.1", "":
req.Proto = "HTTP/1.1"
req.ProtoMajor = 1
req.ProtoMinor = 1
if err = req.Write(uConn); err == nil {
return http.ReadResponse(bufio.NewReader(uConn), req)
} else {
return nil, fmt.Errorf("http.Request.Write() error: %+v", err)
}
default:
return nil, fmt.Errorf("unsupported ALPN: %v", alpn)
}
} |
Please try to reduce the unnecessary/irrelevant code next time. From your code I think the critical part is func newSpec() (*tls.ClientHelloSpec, error) {
ids := []tls.ClientHelloID{
//tls.HelloFirefox_102,
//tls.HelloFirefox_105,
//tls.HelloFirefox_120,
tls.HelloChrome_100,
tls.HelloChrome_102,
tls.HelloChrome_106_Shuffle,
tls.HelloChrome_120,
tls.HelloEdge_106,
tls.HelloSafari_16_0,
}
spec, err := tls.UTLSIdToSpec(ids[rand.Intn(len(ids))])
return &spec, err
}
func main() {
conn, err := net.DialTimeout("tcp", "01-tx.audience.gcc.teams.microsoft.com:11024", 10*time.Second)
if err != nil {
panic(err)
}
uConn := tls.UClient(conn, &tls.Config{
ServerName: "01-tx.audience.gcc.teams.microsoft.com",
}, tls.HelloCustom)
spec, err := newSpec()
if err != nil {
panic(err)
}
if err = uConn.ApplyPreset(spec); err != nil {
panic(err)
}
if err = uConn.Handshake(); err != nil {
panic(err)
}
} However the code above does not give me any error so far. Further investigation with pcap (that's why you REALLY should provide one) shows the problem is actually due to the server sending a Hello Request AFTER a TLS Handshake is done. Major web browsers at this moment will renegotiate over the same TCP connection by sending another ClientHello and this is not supported by uTLS at the moment. I'm not sure if this is supported by our upstream |
As of why the error message differs, I have no idea. Perhaps due to different states of an internal variable due to different set of TLS Extensions are being advertised/selected. But anyways, the server essentially sent the same message, a encrypted Hello Request with |
This is a confirmed bug. |
An update to this: the example code no longer work due to now the server requires the client to be advertising HTTP/1.1 instead of HTTP/2. And I have been looking into this problem. It seems uTLS does not really support renegotiation and caused this problem. I am currently working on it. |
#291 is related. |
Note: you will still need to manually advertise HTTP/1.1 after #292 fixes the underlying bug. |
Using the following ClientHelloID will produce tls: CurvePreferences includes unsupported curve error.
Using the following ClientHelloID will generate a panic: tls: LoadSessionCoordinator.onEnterLoadSessionCheck failed: session is set and locked, no call to loadSession is allowed error.
The text was updated successfully, but these errors were encountered: