utls icon indicating copy to clipboard operation
utls copied to clipboard
verified publisher icon refraction-networking

Optionally verifying the ClientHello sent on wire

Open gaukas opened this issue 3 years ago • 1 comments

Implement an optional feature which, when enabled, will:

  • Capture the bytes of ClientHello sent on wire
  • Compare it with the desired ClientHelloMessage
  • Throw error and tear down connection if didn't match

This may help us in preventing unintended behaviors of malfunctioning extensions in uTLS.

Original Post: https://github.com/net4people/bbs/issues/139#issuecomment-1281760299 by @klzgrad

gaukas avatar Oct 18 '22 04:10 gaukas

This is meant to prevent accidental leakage of unmodified Go fingerprints as reported in https://github.com/net4people/bbs/issues/139. The check must be as close to the wire as possible and can check for known wrong fingerprints e.g. default Go fingerprints.

But the action should be determined after reproducing the original bug. If the bug turns out to be caused by incorrect configuration or bugs within uTLS, the check can catch it. If the problematic code path is caused by external factors that make uTLS entirely unused then I don't think this would help.

klzgrad avatar Oct 18 '22 05:10 klzgrad