On 04/02/2025 20:33, Cecylia Bocovich via anti-censorship-team wrote:
On 2025-02-04 09:21, Michael Rogers via anti-censorship-team wrote:
On 04/02/2025 11:30, Michael Rogers via anti-censorship-team wrote:
Since both versions *can* make a usable connection on Android >= 7.1.1, where the root cert used by Let's Encrypt is in the device's certificate store, I think the issue must be related to the PT's TLS handshake relying on the device's certificate store. So to get this working, we need to be able to validate Let's Encrypt certs at the PT layer as well as the proxied-application layer.
I'll start working on this next, but if anyone on the list has experience with customising certificate validation in Go, I'd be grateful for any hints you can offer!
Using the patch from Lyrebird !62 [1], but with the updated ISRG root cert that's currently in the snowflake repo [2], rather than the one referenced by the patch, gets Lyrebird working with CDN77 on Android < 7.1.1.
Since there isn't a snowflake release that includes the updated cert, I copied it into Lyrebird's meeklite package where it's used. If that's an acceptable solution for upstream I can open an MR.
Cheers, Michael
[1] https://gitlab.torproject.org/tpo/anti-censorship/pluggable- transports/lyrebird/-/merge_requests/62 [2] https://gitlab.torproject.org/tpo/anti-censorship/pluggable- transports/snowflake/-/blob/26f7ee4b0620b5b64f3b7df6b139891a7b0170c8/ common/certs/certs.go
Thank you for your efforts to debug this problem and for working on the solution! It's totally fine to copy it into lyrebird for the MR. We can de-duplicate this later, and may decide to factor it out into a separate ptutil library.
Cecylia
Great, I've opened !77 for this.
Cheers, Michael