cli: utls for TLS parroting #414
Conversation
There was a problem hiding this comment.
I would like to proceed to merge this PR piecemeal. The first step I'd like to achieve is to add support for handshaking using utls. I would like you to focus just on changes in that part of the codebase for now, by trying to implement using utls via the NewConn factory rather than adding a new UTLSHandshaker type.
Once we have refactored this part of the PR, we'll work to only merge that part and then we'll continue the discussion regarding the rest of your PR.
My general sense is that the code you've written is consistent with the way in which we do things currently in probe-cli, but it may be that there is a better way that could allow us to perform the same measurements with less code. Because this PR addresses a crucial and fundamental issue in probe-cli, it may be worth it spending some extra brain cycles to figure out the extent to which we can simplify and improve the code design.
Thank you!
(To further clarify what I mean: I suggest working on this branch and applying the required NewConn change. Once that is okay, I will take care of merging this part of your contribution to master. Once that is done, I'd like to have a design conversation regarding a few design options that I see here, so that we can discuss how to finish the rest of the work.)
This branch is currently using a connection to probe for whether the server uses http/1.1 or h2 and chooses a transport accordingly. The problem is that this extra connection is breaking the proxy because it uses net.Dial directly, so OONI doesn't work where a proxy is required. As a fix, stop using the whole of netx inside session but rather let us construct a netxlite transport. I was already planning on doing that and this issue here is a good excuse to see whether doing that makes sense.
|
Superseded by #432 |
This is the ground work for issue #1424.
This PR introduces the use of utls for mimicking the TLS ClientHellos of popular browser implementations in order to decrease the risk of OONI clients being blocked based on their characteristic TLS fingerprint. The functionality is implemented by a UTLSHandshaker in
netxlite.When using utls,
net/httpfails to derive the right HTTP version from the ALPN (the issue is described here). To solve this, the PR adds aroundTripperwrapper (packagehttptransport) to take care of this decision: