On Mon, Jan 21, 2019 at 05:12:41AM +0000, Yawning Angel wrote:
I just pushed a change to obfs4proxy master to use `utls` to mask the ClientHello signature (currently Chrome 70.x).
https://gitlab.com/yawning/obfs4/commit/4d453dab2120082b00bf6e63ab4aaeeda6b8...
// This also assumes that req.URL.Host will remain constant for the // lifetime of the roundTripper, which is a valid assumption for meeklite.
Am I wrong, or is the actual restriction less strict? You can reuse the roundTripper for different hosts--the ServerName is taken from the addr argument to dialTLS--but only if those different hosts negotiate the same ALPN, because the choice of http.Transport or http2.Transport is made only once and persists for the lifetime of the roundTripper.
For the same reason, I don't think we'll be able to use HelloRandomized, only HelloRandomizedALPN or HelloRandomizedNoALPN. Otherwise we may negotiate different ALPN even against the same server during the lifetime of roundTripper. I tried adding a conn.SetReadDeadline(time.Now().Add(10*time.Second)) inside dialTLS to force it to re-dial frequently, and with HelloRandomized it does indeed eventually trip the "horrifically wrong" branch with an error like: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x05\x00\x10\x00\x00\x00\x03\x00\x00\x00\xfa\x00\x06\x00\x10\x01@" Despite the error, the client recovers quickly, redialing until it gets a compatible ALPN.