Question about package build

Alireza me at moorko.net
Sat Sep 7 06:16:10 PDT 2024 

Hi, I'm almost done implementing TLS fragmentation for GnuTLS as well
(through the hacky way I described in previous email). Should I just
add it to the existing MR
(https://gitlab.com/openconnect/openconnect/-/merge_requests/567) or I
have to create a new one?

Regards,
Alireza


On Mon, Sep 2, 2024 at 1:59 PM Alireza <me at moorko.net> wrote:
>
> > Here's a recent and very timely Twitter thread that touches on using
> > packet fragmentation at various layers to defeat censorship:
> > https://twitter.com/endermanch/status/1829648801612906916
>
> Thanks for the link. I could only find him talking about splitting
> HTTP into multiple TCP segments which is basically outdated now as
> (almost) no one uses plain HTTP.
>
> > As described in this thread, injecting extra fragmentation is AT BEST
> > a stopgap solution, exploiting a lack of (or bugginess in) stateful
> > session tracking, and nation-level censors WILL eventually prevent it
> > from working.
>
> I partially agree with you. For a packet dissection/processing system
> that should operate on a very high scale (e.g. nationwide), it is very
> difficult to maintain state as it requires lots of resources. I'm not
> saying it's not possible to do it but it makes their life harder as
> they often have to reassemble packets in order to be able to parse
> them. This process is inherently expensive because it involves
> buffering packets and waiting for the rest.
> That said, it's not a silver bullet; it's just one technique among
> many. However, the advantage is that these techniques can be combined
> to create a more effective solution.
>
>
> > Sounds like you've already implemented it for OpenSSL? Does using this
> > API actually allow you to successfully bypass the Divar-e-Bozorg and
> > establish a TLS handshake with a TLS-based VPN server? 😅
> >
> > And if so, can you share the code/diff? (Perhaps privately if you prefer.)
>
> I created a draft PR so you can see what I've done so far:
> https://gitlab.com/openconnect/openconnect/-/merge_requests/567
> I haven't tested it personally yet, but I know this technique is
> widely used by people who bypass the Divar-e-Bozorg (which translates
> to "Great Wall") using V2Ray-based proxies and even their own custom
> censorship circumvention tools, such as
> https://github.com/bepass-org/bepass.
>
>
> > If this technique does actually work for circumventing censorship, I
> > think we could make a very good case for adding a similar capability
> > to GnuTLS and I'd be happy to help with it :-)
>
>
> The technique is proven to work:
> * See section 7: https://dl.acm.org/doi/epdf/10.1145/3487552.3487858
> * This is an amazing blog post specifically about TLS fragmentation:
> https://upb-syssec.github.io/blog/2023/record-fragmentation/
>
> I'd love to help and add this capability to GnuTLS!
>
> > You might also be interested in
> > https://gitlab.com/openconnect/openconnect/-/merge_requests/297, where
> > I added the `--sni` option to aid in
> > https://en.wikipedia.org/wiki/Domain_fronting (another anti-censorship
> > technique).
>
> Yes I actually saw it and I remember the time it was released I was
> happy because it made my life easier. Before that, I had to use the
> `--resolve` cli argument to simulate this behavior. Thanks🙂
>
>
> On Mon, Sep 2, 2024 at 1:15 AM Daniel Lenski <dlenski at gmail.com> wrote:
> >
> > On Sun, Sep 1, 2024 at 4:10 PM Daniel Lenski <dlenski at gmail.com> wrote:
> > >
> > > On Sun, Sep 1, 2024 at 1:46 PM Moorko <me at moorko.net> wrote:
> > > >
> > > > Thanks for your detailed response, Daniel.
> > > >
> > > > I now realize that I clearly missed the big picture here as I'm relatively new to this domain.
> > >
> > > No worries! Looks like you're tackling a tricky problem and asking the
> > > right questions :-)
> > >
> > > > > I'm not sure what "flexible" means specifically.
> > > >
> > > > I'm implementing a TLS handshake fragmentation feature for OpenConnect so that it can better resist internet censorship in Iran (and potentially in other places as well).
> > >
> > > Ah. We have a tag for Iran-censorship-related issues, definitely
> > > peruse these if you haven't already:
> > > https://gitlab.com/openconnect/openconnect/-/issues/?label_name%5B%5D=Damet%20Garm
> >
> > You might also be interested in
> > https://gitlab.com/openconnect/openconnect/-/merge_requests/297, where
> > I added the `--sni` option to aid in
> > https://en.wikipedia.org/wiki/Domain_fronting (another anti-censorship
> > technique).
> >
> > That one also required some careful fine-tuning to handle the change
> > in expectations of the server's TLS certificate when built with either
> > OpenSSL or GnuTLS.

More information about the openconnect-devel mailing list