Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

调查目的:了解当前各基于TLS的协议方案中ClientHello的指纹独特性。理论背景见 https://arxiv.org/abs/1607.01639

指纹数据库:

naiveproxy v78.0.3904.70-4

(利益相关:我是这个的作者)

Options: default

tlsfingerprint.io: https://tlsfingerprint.io/id/bbf04e5f1881f506 (rank #1, frequency 22.64%)

Cisco Mercury: "analysis":{"process":"chrome.exe","score":0.918463212}

TLSv1.3 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 512
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 508
        Version: TLS 1.2 (0x0303)
        Random: …
        Session ID Length: 32
        Session ID: …
        Cipher Suites Length: 34
        Cipher Suites (17 suites)
            Cipher Suite: Reserved (GREASE) (0x9a9a)
            Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
            Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
            Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
            Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
        Compression Methods Length: 1
        Compression Methods (1 method)
            Compression Method: null (0)
        Extensions Length: 401
        Extension: Reserved (GREASE) (len=0)
            Type: Reserved (GREASE) (51914)
            Length: 0
            Data: <MISSING>
        Extension: server_name (len=…)
            Type: server_name (0)
            Length: …
            Server Name Indication extension
        Extension: extended_master_secret (len=0)
            Type: extended_master_secret (23)
            Length: 0
        Extension: renegotiation_info (len=1)
            Type: renegotiation_info (65281)
            Length: 1
            Renegotiation Info extension
                Renegotiation info extension length: 0
        Extension: supported_groups (len=10)
            Type: supported_groups (10)
            Length: 10
            Supported Groups List Length: 8
            Supported Groups (4 groups)
                Supported Group: Reserved (GREASE) (0xbaba)
                Supported Group: x25519 (0x001d)
                Supported Group: secp256r1 (0x0017)
                Supported Group: secp384r1 (0x0018)
        Extension: ec_point_formats (len=2)
            Type: ec_point_formats (11)
            Length: 2
            EC point formats Length: 1
            Elliptic curves point formats (1)
                EC point format: uncompressed (0)
        Extension: session_ticket (len=0)
            Type: session_ticket (35)
            Length: 0
            Data (0 bytes)
        Extension: application_layer_protocol_negotiation (len=14)
            Type: application_layer_protocol_negotiation (16)
            Length: 14
            ALPN Extension Length: 12
            ALPN Protocol
                ALPN string length: 2
                ALPN Next Protocol: h2
                ALPN string length: 8
                ALPN Next Protocol: http/1.1
        Extension: status_request (len=5)
            Type: status_request (5)
            Length: 5
            Certificate Status Type: OCSP (1)
            Responder ID list Length: 0
            Request Extensions Length: 0
        Extension: signature_algorithms (len=20)
            Type: signature_algorithms (13)
            Length: 20
            Signature Hash Algorithms Length: 18
            Signature Hash Algorithms (9 algorithms)
                Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
        Extension: signed_certificate_timestamp (len=0)
            Type: signed_certificate_timestamp (18)
            Length: 0
        Extension: key_share (len=43)
            Type: key_share (51)
            Length: 43
            Key Share extension
                Client Key Share Length: 41
                Key Share Entry: Group: Reserved (GREASE), Key Exchange length: 1
                    Group: Reserved (GREASE) (47802)
                    Key Exchange Length: 1
                    Key Exchange: 00
                Key Share Entry: Group: x25519, Key Exchange length: 32
                    Group: x25519 (29)
                    Key Exchange Length: 32
                    Key Exchange: …
        Extension: psk_key_exchange_modes (len=2)
            Type: psk_key_exchange_modes (45)
            Length: 2
            PSK Key Exchange Modes Length: 1
            PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
        Extension: supported_versions (len=11)
            Type: supported_versions (43)
            Length: 11
            Supported Versions length: 10
            Supported Version: Unknown (0x3a3a)
            Supported Version: TLS 1.3 (0x0304)
            Supported Version: TLS 1.2 (0x0303)
            Supported Version: TLS 1.1 (0x0302)
            Supported Version: TLS 1.0 (0x0301)
        Extension: compress_certificate (len=3)
            Type: compress_certificate (27)
            Length: 3
            Algorithms Length: 2
            Algorithm: brotli (2)
        Extension: Reserved (GREASE) (len=1)
            Type: Reserved (GREASE) (47802)
            Length: 1
            Data: 00
        Extension: padding (len=197)
            Type: padding (21)
            Length: …
            Padding Data: 000000000000000000000000000000000000000000000000…

gost v2.8.1

sudo setcap cap_net_bind_service=+ep ./gost
./gost -L=socks5://:1081 -F=http2://127.0.0.1:443 &
./gost -L=http2://127.0.0.1:443 &
curl --proxy socks5h://127.0.0.1:1081 microsoft.com

tlsfingerprint.io: https://tlsfingerprint.io/id/a74f2cb7dfed5308 (not found)

Cisco Mercury: "analysis":{"process":"Unknown","score":0.0}

TLSv1.2 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 199
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 195
        Version: TLS 1.2 (0x0303)
        Random: …
        Session ID Length: 32
        Session ID: …
        Cipher Suites Length: 32
        Cipher Suites (16 suites)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
            Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
            Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
            Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
            Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
            Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
        Compression Methods Length: 1
        Compression Methods (1 method)
            Compression Method: null (0)
        Extensions Length: 90
        Extension: next_protocol_negotiation (len=0)
            Type: next_protocol_negotiation (13172)
            Length: 0
        Extension: status_request (len=5)
            Type: status_request (5)
            Length: 5
            Certificate Status Type: OCSP (1)
            Responder ID list Length: 0
            Request Extensions Length: 0
        Extension: supported_groups (len=10)
            Type: supported_groups (10)
            Length: 10
            Supported Groups List Length: 8
            Supported Groups (4 groups)
                Supported Group: x25519 (0x001d)
                Supported Group: secp256r1 (0x0017)
                Supported Group: secp384r1 (0x0018)
                Supported Group: secp521r1 (0x0019)
        Extension: ec_point_formats (len=2)
            Type: ec_point_formats (11)
            Length: 2
            EC point formats Length: 1
            Elliptic curves point formats (1)
                EC point format: uncompressed (0)
        Extension: signature_algorithms (len=24)
            Type: signature_algorithms (13)
            Length: 24
            Signature Hash Algorithms Length: 22
            Signature Hash Algorithms (11 algorithms)
                Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                Signature Algorithm: ecdsa_sha1 (0x0203)
        Extension: renegotiation_info (len=1)
            Type: renegotiation_info (65281)
            Length: 1
            Renegotiation Info extension
                Renegotiation info extension length: 0
        Extension: application_layer_protocol_negotiation (len=5)
            Type: application_layer_protocol_negotiation (16)
            Length: 5
            ALPN Extension Length: 3
            ALPN Protocol
                ALPN string length: 2
                ALPN Next Protocol: h2
        Extension: signed_certificate_timestamp (len=0)
            Type: signed_certificate_timestamp (18)
            Length: 0
        Extension: supported_versions (len=7)
            Type: supported_versions (43)
            Length: 7
            Supported Versions length: 6
            Supported Version: TLS 1.2 (0x0303)
            Supported Version: TLS 1.1 (0x0302)
            Supported Version: TLS 1.0 (0x0301)

V2Ray v4.21.3

https://guide.v2fly.org/advanced/h2.html

tlsfingerprint.io: https://tlsfingerprint.io/id/8c48b95f67260663 (not found)

Cisco Mercury: "analysis":{"process":"Unknown","score":0.0}

TLSv1 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: …
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: …
        Version: TLS 1.2 (0x0303)
        Random: …
        Session ID Length: 32
        Session ID: …
        Cipher Suites Length: 30
        Cipher Suites (15 suites)
            Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
            Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
            Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
            Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
        Compression Methods Length: 1
        Compression Methods (1 method)
            Compression Method: null (0)
        Extensions Length: …
        Extension: next_protocol_negotiation (len=0)
            Type: next_protocol_negotiation (13172)
            Length: 0
        Extension: server_name (len=…)
            Type: server_name (0)
            Length: …
            Server Name Indication extension
        Extension: status_request (len=5)
            Type: status_request (5)
            Length: 5
            Certificate Status Type: OCSP (1)
            Responder ID list Length: 0
            Request Extensions Length: 0
        Extension: supported_groups (len=10)
            Type: supported_groups (10)
            Length: 10
            Supported Groups List Length: 8
            Supported Groups (4 groups)
                Supported Group: x25519 (0x001d)
                Supported Group: secp256r1 (0x0017)
                Supported Group: secp384r1 (0x0018)
                Supported Group: secp521r1 (0x0019)
        Extension: ec_point_formats (len=2)
            Type: ec_point_formats (11)
            Length: 2
            EC point formats Length: 1
            Elliptic curves point formats (1)
                EC point format: uncompressed (0)
        Extension: session_ticket (len=0)
            Type: session_ticket (35)
            Length: 0
            Data (0 bytes)
        Extension: signature_algorithms (len=26)
            Type: signature_algorithms (13)
            Length: 26
            Signature Hash Algorithms Length: 24
            Signature Hash Algorithms (12 algorithms)
                Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                Signature Algorithm: ed25519 (0x0807)
                Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                Signature Algorithm: ecdsa_sha1 (0x0203)
        Extension: renegotiation_info (len=1)
            Type: renegotiation_info (65281)
            Length: 1
            Renegotiation Info extension
                Renegotiation info extension length: 0
        Extension: application_layer_protocol_negotiation (len=5)
            Type: application_layer_protocol_negotiation (16)
            Length: 5
            ALPN Extension Length: 3
            ALPN Protocol
                ALPN string length: 2
                ALPN Next Protocol: h2
        Extension: signed_certificate_timestamp (len=0)
            Type: signed_certificate_timestamp (18)
            Length: 0
        Extension: supported_versions (len=9)
            Type: supported_versions (43)
            Length: 9
            Supported Versions length: 8
            Supported Version: TLS 1.3 (0x0304)
            Supported Version: TLS 1.2 (0x0303)
            Supported Version: TLS 1.1 (0x0302)
            Supported Version: TLS 1.0 (0x0301)
        Extension: key_share (len=38)
            Type: key_share (51)
            Length: 38
            Key Share extension
                Client Key Share Length: 36
                Key Share Entry: Group: x25519, Key Exchange length: 32
                    Group: x25519 (29)
                    Key Exchange Length: 32
                    Key Exchange: …
        Extension: psk_key_exchange_modes (len=2)
            Type: psk_key_exchange_modes (45)
            Length: 2
            PSK Key Exchange Modes Length: 1
            PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)

trojan 1.13.0

Options: default

tlsfingerprint.io: https://tlsfingerprint.io/id/8f41a7eb773999f8 (not found)

Cisco Mercury: "analysis":{"process":"Unknown","score":0.0}

TLSv1.3 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.0 (0x0301)
    Length: 512
    Handshake Protocol: Client Hello
        Handshake Type: Client Hello (1)
        Length: 508
        Version: TLS 1.2 (0x0303)
        Random: …
        Session ID Length: 32
        Session ID: …
        Cipher Suites Length: 24
        Cipher Suites (12 suites)
            Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
            Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
            Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
            Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
            Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
            Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
        Compression Methods Length: 1
        Compression Methods (1 method)
            Compression Method: null (0)
        Extensions Length: …
        Extension: server_name (len=…)
            Type: server_name (0)
            Length: …
            Server Name Indication extension
        Extension: ec_point_formats (len=4)
            Type: ec_point_formats (11)
            Length: 4
            EC point formats Length: 3
            Elliptic curves point formats (3)
                EC point format: uncompressed (0)
                EC point format: ansiX962_compressed_prime (1)
                EC point format: ansiX962_compressed_char2 (2)
        Extension: supported_groups (len=12)
            Type: supported_groups (10)
            Length: 12
            Supported Groups List Length: 10
            Supported Groups (5 groups)
                Supported Group: x25519 (0x001d)
                Supported Group: secp256r1 (0x0017)
                Supported Group: x448 (0x001e)
                Supported Group: secp521r1 (0x0019)
                Supported Group: secp384r1 (0x0018)
        Extension: application_layer_protocol_negotiation (len=14)
            Type: application_layer_protocol_negotiation (16)
            Length: 14
            ALPN Extension Length: 12
            ALPN Protocol
                ALPN string length: 2
                ALPN Next Protocol: h2
                ALPN string length: 8
                ALPN Next Protocol: http/1.1
        Extension: encrypt_then_mac (len=0)
            Type: encrypt_then_mac (22)
            Length: 0
        Extension: extended_master_secret (len=0)
            Type: extended_master_secret (23)
            Length: 0
        Extension: signature_algorithms (len=42)
            Type: signature_algorithms (13)
            Length: 42
            Signature Hash Algorithms Length: 40
            Signature Hash Algorithms (20 algorithms)
                Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                Signature Algorithm: ed25519 (0x0807)
                Signature Algorithm: ed448 (0x0808)
                Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
                Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
                Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
                Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                Signature Algorithm: SHA224 ECDSA (0x0303)
                Signature Algorithm: SHA224 RSA (0x0301)
                Signature Algorithm: SHA224 DSA (0x0302)
                Signature Algorithm: SHA256 DSA (0x0402)
                Signature Algorithm: SHA384 DSA (0x0502)
                Signature Algorithm: SHA512 DSA (0x0602)
        Extension: supported_versions (len=5)
            Type: supported_versions (43)
            Length: 5
            Supported Versions length: 4
            Supported Version: TLS 1.3 (0x0304)
            Supported Version: TLS 1.2 (0x0303)
        Extension: psk_key_exchange_modes (len=2)
            Type: psk_key_exchange_modes (45)
            Length: 2
            PSK Key Exchange Modes Length: 1
            PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
        Extension: key_share (len=38)
            Type: key_share (51)
            Length: 38
            Key Share extension
                Client Key Share Length: 36
                Key Share Entry: Group: x25519, Key Exchange length: 32
                    Group: x25519 (29)
                    Key Exchange Length: 32
                    Key Exchange: …
        Extension: padding (len=226)
            Type: padding (21)
            Length: …
            Padding Data: 000000000000000000000000000000000000000000000000…
@gitsrc

This comment has been minimized.

@frankang

This comment has been minimized.

Copy link

@frankang frankang commented Nov 22, 2019

how about the fingerprint of v2ray+websocket+tls
https://guide.v2fly.org/advanced/wss_and_web.html

@klzgrad

This comment has been minimized.

Copy link
Owner Author

@klzgrad klzgrad commented Nov 28, 2019

@gitsrc I'm aware, but uTLS probably still leaks some info from its dynamic behavior (cipher negotiation, key exchange).

@frankang http/2 is just http/2 cleartext over tls. They use the same tls stack.

@gitsrc

This comment has been minimized.

Copy link

@gitsrc gitsrc commented Nov 29, 2019

@gitsrc I'm aware, but uTLS probably still leaks some info from its dynamic behavior (cipher negotiation, key exchange).

@frankang http/2 is just http/2 cleartext over tls. They use the same tls stack.

Why not borrow the chrome web stack by designing a chrome app ?

@klzgrad

This comment has been minimized.

Copy link
Owner Author

@klzgrad klzgrad commented Nov 29, 2019

@gitsrc Chrome app support was discontinued several years ago, and it was the only way you can use raw tcp sockets inside Chrome, not Chrome extensions.

@itshaadi

This comment has been minimized.

Copy link

@itshaadi itshaadi commented Jan 9, 2020

http/2 is just http/2 cleartext over tls. They use the same tls stack.

Ok, but how come wss+tls+cf actually works and h2 doesn't? (I'm writing this while connected to v2ray via mentioned stack)

and, why haven't you tested trojan 1.14.0? they also added FF 71.0 fingerprint 2d ago (trojan-gfw/trojan@4ab621d)

@klzgrad

This comment has been minimized.

Copy link
Owner Author

@klzgrad klzgrad commented Jan 10, 2020

@itshaadi who said wss+tls+cf doesn't work?

@itshaadi

This comment has been minimized.

Copy link

@itshaadi itshaadi commented Jan 10, 2020

You said they use the same TLS stack. well, h2 doesn't work. but wss+tls+cf works! (although not with ECC CA-2 certs you can read more about it here). but still, h2 doesn't work at all. yet they use the same TLS stack. so then how come wss+tls+cf works?

@tomac4t

This comment has been minimized.

Copy link

@tomac4t tomac4t commented Jan 15, 2020

why haven't you tested trojan 1.14.0? they also added FF 71.0 fingerprint 2d ago (trojan-gfw/trojan@4ab621d)

TLS fingerprint is not only included the client ciphers but also have the other parameter. So it is not Firefox 71.0 fingerprint. Your can using tools like tcpdump and upload pcap format file to https://tlsfingerprint.io/pcap and see the result.

I build the lastest trojan(trojan-gfw/trojan@92ef169) with default options, use the config.json which you are mentioned. Following is its TLS fingerprint:

https://tlsfingerprint.io/id/6b7fff3bc6dc9f3b (Not found)
https://tlsfingerprint.io/id/41e239e8cc589954 (Not found)

but still, h2 doesn't work at all. yet they use the same TLS stack. so then how come wss+tls+cf works?

What do you "h2" means? like Your client <--HTTP/2--> Your server, and without using Cloudflare as reserve proxy? Then Iran Government block your server address? @itshaadi

@itshaadi

This comment has been minimized.

Copy link

@itshaadi itshaadi commented Jan 15, 2020

What do you "h2" means? like Your client <--HTTP/2--> Your server, and without using Cloudflare as reserve proxy? Then Iran Government block your server address?

Client <--HTTP/2--> Server with, or without Cloudflare doesn't matter. it's always the same result (connection doesn't reach the server). I get RST after Client Hello. @tomac4t

@tomac4t

This comment has been minimized.

Copy link

@tomac4t tomac4t commented Jan 18, 2020

Hello @itshaadi, due to I did not use V2ray before, I take a time to look it. Yes, it is. Actually, they have different TLS fingerprint. According to your description, I think some parameter may trigger the censorship and leading you received TCP RST packet. Following is my test:

V2ray (v4.22.1) HTTP/2

Client options: https://guide.v2fly.org/advanced/h2.html
https://tlsfingerprint.io/id/8c48b95f67260663 (Not found)
https://tlsfingerprint.io/id/c2885c1d81a62146 (Not found)

V2ray (v4.22.1) WebSocket+TLS+Web

Client options: https://guide.v2fly.org/advanced/wss_and_web.html
https://tlsfingerprint.io/id/712d38dcc66eb900 (Rank: 6590/361511, Seen: 2.8K times all time(0.00%))
https://tlsfingerprint.io/id/494892b8fdcf4be5 (Not found)
https://tlsfingerprint.io/id/f21ec4b9175fd6db (Not found)
https://tlsfingerprint.io/id/4e9b00c563f42d70 (Not found)

Edited:
The main difference between them is ALPN Next Protocol value is different.
HTTP/2:

        Extension: application_layer_protocol_negotiation (len=5)
            Type: application_layer_protocol_negotiation (16)
            Length: 5
            ALPN Extension Length: 3
            ALPN Protocol
                ALPN string length: 2
                ALPN Next Protocol: h2

WebSocket+TLS+Web:

        Extension: application_layer_protocol_negotiation (len=11)
            Type: application_layer_protocol_negotiation (16)
            Length: 11
            ALPN Extension Length: 9
            ALPN Protocol
                ALPN string length: 8
                ALPN Next Protocol: http/1.1

The modern browser should support h2 and http/1.1 both instead of support h2 only. (Ref. https://tlsfingerprint.io/alpn) I think it is the reason why @itshaadi said V2ray HTTP/2 doesn't work.

Edited: The details of V2ray ClientHello fingerprints could see: https://gist.github.com/tomac4t/760669dbb6e588eb15807c87515b44c5

TLSFingerprint.io

Now you can use the following link compare with them: https://tlsfingerprint.io/compare/8c48b95f67260663/712d38dcc66eb900

Screenshot: TLSfingerprint.io

Edited: 有意思的是四年前一些 DPI box 分类 obfs4 流量也是根据 alpn 判断的。当时 Tor 使用的 Firefox-ESR 仍然支持着过时的实验性 H2 版本:https://lists.torproject.org/pipermail/tor-talk/2016-May/040990.html

@bash99

This comment has been minimized.

Copy link

@bash99 bash99 commented May 13, 2020

cbeuw's Cloak sames archive similar result in mercury and tlsfingerprint.io.
https://tlsfingerprint.io/id/bbf04e5f1881f506

But it choose listen direct on 443 and I'm worry it's site cert will be a weak point.

Cloak have some useful feature like direct udp forward support, and support multi-forward group.

@tomac4t

This comment has been minimized.

Copy link

@tomac4t tomac4t commented May 13, 2020

Cloak 和 Chromium 的指纹一致是因为它用的是 uTLS… @bash99

@bash99

This comment has been minimized.

Copy link

@bash99 bash99 commented May 13, 2020

Cloak 和 Chromium 的指纹一致是因为它用的是 uTLS… @bash99

Thanks, got it.

if we can got the traffic distribution passed on GFW, maybe some new way can be found.
perhaps Zoom and MS teams use many traffic recently.

@felixding

This comment has been minimized.

Copy link

@felixding felixding commented Jul 23, 2020

cbeuw's Cloak sames archive similar result in mercury and tlsfingerprint.io.
https://tlsfingerprint.io/id/bbf04e5f1881f506

But it choose listen direct on 443 and I'm worry it's site cert will be a weak point.

Cloak have some useful feature like direct udp forward support, and support multi-forward group.

看起来证书的问题已经出现了:HirbodBehnam/Shadowsocks-Cloak-Installer#24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.