Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Peer Review Request]Restls: A Perfect Impersonation of TLS Handshake #223

Open
3andne opened this issue Feb 5, 2023 · 5 comments
Open

Comments

@3andne
Copy link

3andne commented Feb 5, 2023

Hi there,
I hope you are having a good day.
We're currently working on a brand new protocol named Restls which can be used as an extension to Shadowsocks. It shares a similar goal with ShadowTLS to circumvent GFW whitelisting but fixes ShadowTLS' fundamental flaw of not being able to provide server authentication. Such flaw might be utilized by GFW and blocks ShadowTLS precisely.
If that sounds good, you might want to take a look at the draft:
Restls: A Perfect Impersonation of TLS Handshake
You can find a proof-of-concept implementation in the same repo.
----------------------
你们好,
希望你们一切顺利。
我们正在设计一个新的协议,名为Restls,它可以作为Shadowsocks的插件使用。它的目标与ShadowTLS类似——绕过GFW的白名单机制,但它试图解决ShadowTLS在协议设计中未能实现的服务端认证,从而避免被准确封杀。
如果你觉得这听起来还行,你或许想看一看这个协议的设计稿:
Restls: 对TLS握手的完美伪装
这个仓库同样包含了一个实现以及其使用方式。

@3andne
Copy link
Author

3andne commented Feb 5, 2023

This extension (as well as ShadowTLS) would potentially change the 0-rtt nature of Shadowsocks. As of now Restls is only able to parrot TLS handshake. To achieve an overall perfect impersonation, we might need deeper integration with Shadowsocks so that Restls gets more context when an anomaly is detected on the Shadowsocks side. That would allow us to send TLS Alerts accordingly. So far Shadowsocks only resets the connection when an error happens.

@madeye
Copy link
Contributor

madeye commented Feb 7, 2023

It would be lovely to implement SIP003 client mode in your restls as well, so that shadowsocks users can use it as a plugin directly.

Some reference SIP003 Rust code here: https://github.com/shadowsocks/qtun/blob/master/src/args/mod.rs

@Mygod
Copy link
Contributor

Mygod commented Feb 8, 2023

This sounds like a good idea but I'm not sure. TLS is very complicated so I expect any TLS-based obfuscation would be very prone to loopholes and errors. @gfw-report Any thoughts, or ideas as for where to find people could review this design?

@Mygod
Copy link
Contributor

Mygod commented Feb 8, 2023

Oh I suppose you can post it to https://github.com/net4people/bbs/issues to see what people there think about this.

@3andne
Copy link
Author

3andne commented Feb 8, 2023

@Mygod Thanks for the nice suggestion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants