[tor-bugs] #14256 [meek]: Clarify whether Cloudflare's Universal SSL thing works with meek

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 26 05:06:57 UTC 2016 

#14256: Clarify whether Cloudflare's Universal SSL thing works with meek
-------------------------+---------------------
 Reporter:  cypherpunks  |          Owner:  dcf
     Type:  enhancement  |         Status:  new
 Priority:  Medium       |      Milestone:
Component:  meek         |        Version:
 Severity:  Normal       |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+---------------------
Changes (by abacabadabacaba):

 * severity:   => Normal


Comment:

 I did some experiments with CloudFlare, and here are the results:

 When using HTTP/1.1, CloudFlare requires SNI hostname to match the value
 of `Host` header. If this is violated, HTTP error 403 is returned.

 However, when using HTTP/2, the check is less strict. HTTP/2 has a feature
 where a single connection can be used with multiple host names as long as
 the TLS certificate presented by the server is valid for all those host
 names. When using CloudFlare Free SSL, a single certificate is generated
 for multiple domains, and it is possible to utilize domain fronting as
 long as both the front and the back domain use the same certificate.

 I don't know how they choose which domains share a certificate. Also,
 these certificates seem to be reissued much more frequently than their
 validity period might suggest. As a result, domain fronting with
 CloudFlare is possible, but not very convenient.

 Anyway, I registered an address https://meek-reflect.cf/ which you can use
 for testing. Unfortunately, I don't know any command-line tools that can
 send HTTP/2 requests, and constructing HTTP/2 requests by hand is not
 trivial. Still, you can use this command to try ~~the voodoo magic of~~
 domain fronting for yourself:

 {{{
 printf 'PRI *
 HTTP/2.0\r\n\r\nSM\r\n\r\n\0\0\0\4\0\0\0\0\0\0\0\24\1\5\0\0\0\1\202\207\1
 \17meek-reflect.cf\204' | openssl s_client -quiet -connect
 spacebitco.in.net:443 -servername spacebitco.in.net -alpn h2
 }}}
 If you see the text `I’m just a happy little web server.` somewhere in the
 output, then it worked.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14256#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list