[tor-dev] Release: obfs4proxy-0.0.9
yawning at schwanenlied.me
Tue Feb 5 15:06:01 UTC 2019
I just tagged obfs4proxy-0.0.9. The main features of this release are
primarily related to improving the behavior of the `meek_lite` transport.
Since some of the changes are major, I will expand on them separately
from the brief summary given in the ChangeLog.
* A forked version of https://github.com/refraction-networking/utls
is now used to mask the TLS signature. This results in a ClientHello
that should resemble modern versions of Firefox by default. While
the utls profile is named `HelloFirefox_63`, a cursory examination
leads me to believe that there are no differences in FF 65.
The bridge line option `utls=<fingerprint>` will allow specifying the
behavior, with (case-insenstive) string representations of the utls
fingerprint names. `none` will revert to the previous behavior.
Not all fingerprints were tested and or are guaranteed to work.
Development was primarily done with `HelloChrome_70,
`HelloFirefox_63`, and `HelloChrome_71` (experimental). While I can
not vouch for the mimicry accuracy of every single profile, all of
the profiles that attempt to mimic browsers should function fairly
well, though this partially depends on the the configuration of
the host doing the fronting.
* meek_lite now has HPKP style public key pins for all of the
Microsoft CA certs that are used to sign Azure leaf certificates.
This is only enabled when `utls` is being used, because I'm lazy. If
Microsoft happens to change their CA certificates prior to the next
release, 2024-05-20, or you are ok with being actively man-in-the-
middled for some reason, adding `disableHPKP=true` to the bridge
line will disable certificate pin validation.
HPKP headers in HTTP responses are ignored, only the static pin list
* Due to a shift in my philosophy, portions of the new code are
released under the GNU General Public License v3. Exceptions to
the viral nature of the license will be considered on a case-by-case
basis. Contact me for more details.
Changes in version 0.0.9 - 2019-02-05:
- Various meek_lite code cleanups and bug fixes.
- Bug 29077: uTLS for ClientHello camouflage (meek_lite).
- More fixes to HTTP Basic auth.
- (meek_lite) Pin the certificate chain public keys for the default
Tor Browser Azure bridge (meek_lite).
: obfs4proxy WILL NOT build with the upstream version of the library,
and the Firefox fingerprint will not function with Azure using the
: For "I can watch Eluveitie music videos on youtube over it"
definitions of "fairly well".
: Yes, the HPKP spec is rather dead in the wild with a lot of people
giving up on it. It is my opinion that in this context having such a
mechanism makes sense.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the tor-dev