https://mailarchive.ietf.org/arch/msg/tls/Dae-cukKMqfzmTT4Ksh1Bzlx7ws/ Present in and coming to your own countries soon... Re: [TLS] Possible blocking of Encrypted SNI extension in China David Fifield <david@bamsoftware.com> Fri, 07 August 2020 23:56 UTC On Thu, Jul 30, 2020 at 03:45:48PM +0000, onoketa wrote:

The Great Firewall of China may have identified and blocked Cloudflare's ESNI implementation.

I have found that when using a TLS client hello with ESNI extension to connect to servers behind Cloudflare's CDN, the connection will be cut off after the whole TLS handshake is done. And then that IP address will be blocked at the TCP level for several minutes.

There is now a detailed written report on the new phenomenon of ESNI blocking in China. It was produced by a collaboration of researchers from Geneva (https://censorship.ai/), GFW Report (https://gfw.report/), and iYouPort (https://www.iyouport.org/). https://geneva.cs.umd.edu/posts/china-censors-esni/esni/ (English) https://geneva.cs.umd.edu/zh/posts/china-censors-esni/esni/ (Chinese) Here are some of the points most likely to be of interest to this group: * The detector is not merely matching on the lack of plaintext SNI; it is specifically looking for the ESNI extension 0xffce. * The ESNI detector only matches the ESNI encrypted_server_name extension 0xffce (draft-ietf-tls-esni-00 through -06), not the ECH extensions encrypted_client_hello 0xff02, ech_nonce 0xff03, outer_extension 0xff04 (draft-ietf-tls-esni-07). * The encrypted_server_name extension has to be syntactically correct; the detector is not just looking for the byte patter ff cc. * Once an ESNI-containing ClientHello is detected, the firewall drops packets in the client→server direction for 120 or 180 seconds. * The detector runs on all TCP ports, not just 443. This short payload is sufficient to trigger blocking: 160303003b0100003703035b72616e646f6d72616e646f6d72616e646f6d7261 6e646f6d72616e646f6d5d0000000100000effce000a53754772000000000000 Python code to generate this payload is appended to this message. Most of the functions of the Great Firewall work bidirectionally, and the ESNI detection and blocking are no exception. Sending an ESNI-containing ClientHello from *outside* of China to a server *inside* results in temporary blocking, just the same as sending one from the inside to the outside. This makes it easy to experiment with, even if you don't control a host in China. To experience ESNI blocking for yourself, choose a responsive TCP port in China (doesn't have to be port 443), for example www.tsinghua.edu.cn:80. Begin a TCP ping to the port, for example using one of these commands: hping3 -S www.tsinghua.edu.cn -p 80 nping -4 -c 0 --tcp-connect www.tsinghua.edu.cn -p 80 Then send the trigger payload: printf '\x16\x03\x03\x00\x3b\x01\x00\x00\x37\x03\x03[randomrandomrandomrandomrandom]\x00\x00\x00\x01\x00\x00\x0e\xff\xce\x00\nSuGr\x00\x00\x00\x00\x00\x00' | nc -4 -v www.tsinghua.edu.cn 80 The TCP pings will stop receiving replies for 120 or 180 seconds, then will start back up again. ---- #!/usr/bin/env python3 # Generates a small TLS ClientHello that trigger's the GFW's ESNI detector. # Writes output to the file minimal.bin. import struct from scapy.all import * load_layer("tls") from scapy.layers.tls.all import * # https://tools.ietf.org/html/rfc8446#section-3.4 def var(ceiling, data): if ceiling < 256: fmt = ">B" elif ceiling < 65536: fmt = ">H" else: raise ValueError(ceiling) return struct.pack(fmt, len(data)) + data # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-01#section-5 def encrypted_server_name(suite, group, key_exchange, record_digest, encrypted_sni): return struct.pack(">HH", suite, group) \ + var(65535, key_exchange) \ + var(65535, record_digest) \ + var(65535, encrypted_sni) clienthello = TLS( msg = TLSClientHello( gmt_unix_time = 0x5b72616e, # "[ran" random_bytes = b"domrandomrandomrandomrandom]", ciphers = [], ext = [ # The GFW detector requires a syntactically valid # server_name_extension, but the actual values it contains may be # nonsense. Here we use a CipherSuite of 0x5375 ("Su"), a NamedGroup # of 0x4772 ("Gr"), and zero-length key_exchange, record_digest, and # encrypted_sni. TLS_Ext_Unknown(type=0xffce, val=encrypted_server_name(0x5375, 0x4772, b"", b"", b"")), ], ) ) TLS(bytes(clienthello)).show() print(bytes(clienthello)) FILENAME = "minimal.bin" open(FILENAME, "wb").write(bytes(clienthello)) print("output written to {}".format(FILENAME))