Comments (9)
So you are basically saying you copy-pasted the preset of HelloChrome_120 from u_parrot.go and trying to use it as a custom ClientHelloSpec but with no luck.
That's correct, with the exception of commenting out TLS 1.3 in the supported TLS versions in the ClientSpec somehow not giving an error.
I can confirm that I am not re-using the ClientSpec as this is currently running inside a unit test that just makes a single client with a single request going out.
Good catch on that config.PreferSkipResumptionOnNilExtension
this got my hopes up but despite adding it the issue remains the same.
I will try a pcap sometime today and post full code that reproduces this issue as well.
from utls.
Excuse me for intrusion.
What caught my eye on these screenshots is that SNI is incorrect on redirected connection in the first case (it's google.com
, although www.google.com
is expected). DNS query is for www.google.com
, so host is probably passed in correctly.
On the second screenshot second connection's SNI is correct.
My bet is that there's something wrong with SNI. I support @gaukas' suggestion about Handshake()
and also suggest trying SetSNI()
before Handshake()
(at least that's the way I use custom ClientHello specs and it works).
from utls.
Thanks, it didn't look like a re-use at first glance but looking deeper into it it really is a re-use and I got PoC working that fixes that within my code base.
Thank you all very much for your help and patience.
from utls.
Interesting. So you are basically saying you copy-pasted the preset of HelloChrome_120
from u_parrot.go
and trying to use it as a custom ClientHelloSpec but with no luck.
While I have not yet encounter such problem in the past, here's a few thing you might want to double check:
- Are you reusing your
spec
? Currently uTLS modifies the input spec, the solution is making a deep copy every time (#111). - Perhaps you are not setting
config.PreferSkipResumptionOnNilExtension
totrue
while not including PSK in yourConfig
, when using a custom parrot.
Line 69 in d2768e4
Plus, doing a pcap may efficiently assist you in figuring out in which step of the TLS handshake did the error occur. You may also want to trace back to which tls: internal error
are you seeing. I think uTLS has a longer error message like tls: internal error: attempted to read record with pending application data
instead of just tls: internal error
.
from utls.
Also I would suggest explicitly call uTLSConn.Handshake()
after you call ApplyPreset()
to see if it errors. So far I have tried a variety of combinations of possible utls.Config
fields but was able to connect to www.google.com:443
anyways. If you can share a hard-coded Config
you used to reproduce this error, either me or someone from the community might be able to help you.
from utls.
When using the ClientHelloId it seems to be able to handle that redirect:
I'm a bit rusty with wireshark, but I will try and dig deeper into this tomorrow
from utls.
Code that reproduces the issue can be found here:
https://github.com/BRUHItsABunny/gOkHttp-ja3spoof/blob/test/tls-1-3-issue/client_opt_test.go
I will work on a snippet that doesn't use oohttp to see if I can limit the possibilities of outside influences
from utls.
SNI is incorrect on redirected connection
Good catch. And I actually think it is an indication of an old client spec being reused -- or something else is happening which prevented the server name from updating.
from utls.
Code Reproduce
package main
import (
"fmt"
"net"
tls "github.com/refraction-networking/utls"
)
var spec tls.ClientHelloSpec = tls.ClientHelloSpec{
CipherSuites: []uint16{
tls.GREASE_PLACEHOLDER,
tls.TLS_AES_128_GCM_SHA256,
tls.TLS_AES_256_GCM_SHA384,
tls.TLS_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
CompressionMethods: []byte{
0x00, // compressionNone
},
Extensions: tls.ShuffleChromeTLSExtensions([]tls.TLSExtension{
&tls.UtlsGREASEExtension{},
&tls.SNIExtension{},
&tls.ExtendedMasterSecretExtension{},
&tls.RenegotiationInfoExtension{Renegotiation: tls.RenegotiateOnceAsClient},
&tls.SupportedCurvesExtension{Curves: []tls.CurveID{
tls.GREASE_PLACEHOLDER,
tls.X25519,
tls.CurveP256,
tls.CurveP384,
}},
&tls.SupportedPointsExtension{SupportedPoints: []byte{
0x00, // pointFormatUncompressed
}},
&tls.SessionTicketExtension{},
&tls.ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}},
&tls.StatusRequestExtension{},
&tls.SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []tls.SignatureScheme{
tls.ECDSAWithP256AndSHA256,
tls.PSSWithSHA256,
tls.PKCS1WithSHA256,
tls.ECDSAWithP384AndSHA384,
tls.PSSWithSHA384,
tls.PKCS1WithSHA384,
tls.PSSWithSHA512,
tls.PKCS1WithSHA512,
}},
&tls.SCTExtension{},
&tls.KeyShareExtension{KeyShares: []tls.KeyShare{
{Group: tls.CurveID(tls.GREASE_PLACEHOLDER), Data: []byte{0}},
{Group: tls.X25519},
}},
&tls.PSKKeyExchangeModesExtension{Modes: []uint8{
tls.PskModeDHE,
}},
&tls.SupportedVersionsExtension{Versions: []uint16{
tls.GREASE_PLACEHOLDER,
tls.VersionTLS13,
tls.VersionTLS12,
}},
&tls.UtlsCompressCertExtension{Algorithms: []tls.CertCompressionAlgo{
tls.CertCompressionBrotli,
}},
&tls.ApplicationSettingsExtension{SupportedProtocols: []string{"h2"}},
tls.BoringGREASEECH(),
&tls.UtlsGREASEExtension{},
}),
}
func getSpec() *tls.ClientHelloSpec {
return &tls.ClientHelloSpec{
CipherSuites: []uint16{
tls.GREASE_PLACEHOLDER,
tls.TLS_AES_128_GCM_SHA256,
tls.TLS_AES_256_GCM_SHA384,
tls.TLS_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
CompressionMethods: []byte{
0x00, // compressionNone
},
Extensions: tls.ShuffleChromeTLSExtensions([]tls.TLSExtension{
&tls.UtlsGREASEExtension{},
&tls.SNIExtension{},
&tls.ExtendedMasterSecretExtension{},
&tls.RenegotiationInfoExtension{Renegotiation: tls.RenegotiateOnceAsClient},
&tls.SupportedCurvesExtension{Curves: []tls.CurveID{
tls.GREASE_PLACEHOLDER,
tls.X25519,
tls.CurveP256,
tls.CurveP384,
}},
&tls.SupportedPointsExtension{SupportedPoints: []byte{
0x00, // pointFormatUncompressed
}},
&tls.SessionTicketExtension{},
&tls.ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}},
&tls.StatusRequestExtension{},
&tls.SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []tls.SignatureScheme{
tls.ECDSAWithP256AndSHA256,
tls.PSSWithSHA256,
tls.PKCS1WithSHA256,
tls.ECDSAWithP384AndSHA384,
tls.PSSWithSHA384,
tls.PKCS1WithSHA384,
tls.PSSWithSHA512,
tls.PKCS1WithSHA512,
}},
&tls.SCTExtension{},
&tls.KeyShareExtension{KeyShares: []tls.KeyShare{
{Group: tls.CurveID(tls.GREASE_PLACEHOLDER), Data: []byte{0}},
{Group: tls.X25519},
}},
&tls.PSKKeyExchangeModesExtension{Modes: []uint8{
tls.PskModeDHE,
}},
&tls.SupportedVersionsExtension{Versions: []uint16{
tls.GREASE_PLACEHOLDER,
tls.VersionTLS13,
tls.VersionTLS12,
}},
&tls.UtlsCompressCertExtension{Algorithms: []tls.CertCompressionAlgo{
tls.CertCompressionBrotli,
}},
&tls.ApplicationSettingsExtension{SupportedProtocols: []string{"h2"}},
tls.BoringGREASEECH(),
&tls.UtlsGREASEExtension{},
}),
}
}
var config tls.Config = tls.Config{
InsecureSkipVerify: true,
ServerName: "google.com",
NextProtos: []string{"h2", "http/1.1"},
DynamicRecordSizingDisabled: true,
}
func main() {
tcpConn, err := net.Dial("tcp", "google.com:443")
if err != nil {
panic(err)
}
tlsConn := tls.UClient(tcpConn, &config, tls.HelloCustom)
if err := tlsConn.ApplyPreset(&spec); err != nil {
panic(fmt.Errorf("uTLSConn.ApplyPreset: %w", err))
}
if err := tlsConn.Handshake(); err != nil {
panic(fmt.Errorf("uTLSConn.Handshake: %w", err))
}
tlsConn.Close()
// then we handshake with www.google.com with the same setup
config.ServerName = "www.google.com"
tcpConn, err = net.Dial("tcp", "www.google.com:443")
if err != nil {
panic(err)
}
tlsConn = tls.UClient(tcpConn, &config, tls.HelloCustom)
// if err := tlsConn.ApplyPreset(&spec); err != nil { // bad
if err := tlsConn.ApplyPreset(getSpec()); err != nil { // good
panic(fmt.Errorf("uTLSConn.ApplyPreset: %w", err))
}
if err := tlsConn.Handshake(); err != nil {
panic(fmt.Errorf("uTLSConn.Handshake: %w", err))
}
}
Reproduced error. And the error is from here:
utls/handshake_client_tls13.go
Lines 136 to 139 in d2768e4
No extra error message because it is not a specific error hardcoded inside uTLS, but rather a general TLS Alert alertInternalError
(80).
Now I am almost certain that you reused the ClientHelloSpec
. Let me know if otherwise @BRUHItsABunny.
from utls.
Related Issues (20)
- Cannot install in Docker base image alpine (package crypto/ecdh is not in GOROOT) HOT 5
- panic: tls: setSessionTicketExt failed: invalid state HOT 3
- Support for padding extension HOT 6
- feat: GREASE ECH Extension HOT 4
- bump Auto parrot for Firefox and Chrome
- bug: configuration for GREASE ECH parrot for Chrome 120 doesn't match BoringSSL HOT 7
- HelloFirefox* gets an ECDSA verification failure HOT 4
- FingerprintClientHello support for GREASE ECH extension
- B uTLS does not support 0xFB1A as max version,add ja3 tls error,roundTripper error HOT 7
- crypto/ecdh is not in GOROOT (Go 1.18) HOT 1
- Secured Renegotiation is not supported HOT 10
- What is the hash function of the fingerprint in utls? HOT 6
- HTTP2 (akamai) fingerprint always same? HOT 1
- Example ImportTLSClientHelloFromJSON HOT 6
- Towards better versioning policy HOT 4
- bug: `(*Conn).Handshake()` is called upon `(*UConn).Read()` HOT 3
- *.tlsfingerprint.io down? HOT 6
- Any plans implements in Python HOT 1
- UnmarshalClientHello returns nil
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from utls.