Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⚠️ Full stream desync support will soon be required! #190

Open
EvgenKo423 opened this issue Oct 11, 2024 · 4 comments
Open

⚠️ Full stream desync support will soon be required! #190

EvgenKo423 opened this issue Oct 11, 2024 · 4 comments

Comments

@EvgenKo423
Copy link

Since yesterday (for me, at least) DPI starts to randomly block ALL SSL/TLS traffic to googlevideo.com:
Wireshark image
Very soon this change will be the default (multi-packet Client Hello analysis was rolled out like that before) and this proxy will be defeated!
@Wyrmlet Wyrmlet mentioned this issue Oct 12, 2024
Closed
@Viktor45
Copy link

Viktor45 commented Oct 15, 2024
edited
Loading

TLS 1.2 has been in TSPU collection since August, use TLS 1.3 instead

@EvgenKo423
Copy link
Author

You're missing my point:

  1. RTFM:

    In TLS 1.3, the client indicates its version preferences in the "supported_versions" extension (Section 4.2.1) and the legacy_version field MUST be set to 0x0303, which is the version number for TLS 1.2. TLS 1.3 ClientHellos are identified as having a legacy_version of 0x0303 and a supported_versions extension present with 0x0304 as the highest version indicated therein.

    But I have an old version of Wireshark, so it doesn't know of TLS 1.3;

  2. TLS 1.3 is the default version in all modern browsers;

  3. In fact, according to my tests for googlevideo.com it currently blocks ALL SSL/TLS versions: SSL 3.0 - TLS 1.3 (didn't check SSL 2.0), without even checking SNI!;

  4. The point:
    All connections you see on a screenshot are to googlevideo.com, with bypass applied! Connections from (random) ports 10733-34 successfully passed through, but from port 10737 it was blocked!
    The first TLS data packet is Client Hello. As you can see, the connection was blocked AFTER the Client Hello, on Change Cipher Spec, because there is no bypass applied to it!

You can dislike me as much as you want until it will stop working. There are other people already seeing issues with video preload.

@Viktor45
Copy link

  1. But I have an old version of Wireshark, so it doesn't know of TLS 1.3;

Why you are not specified this details in first post?

@EvgenKo423
Copy link
Author

EvgenKo423 commented Oct 16, 2024
edited
Loading

Because I just wanted to warn as soon as possible and didn't want to spend much time on this report.
In general, I expect developers to be at least on the same level of competence with their users. I also expect people to either believe in original statement or prove it is wrong.

Also when you say that you have something old, the general answer is "update and test again because we don't want to even do the testing"...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EvgenKo423 @Viktor45