openssl-for-sni-less-connection-testing

Ник	Пост	Дата
critical_error	With all our problems in Uzbekistan let me remind you that OpenSSL is a fast and dirty way to check whether a SNI-less connection is available to a blocked resource. It’s fast. It’s also dirty, because an openssl s_client/openssl s_server pair talks it’s own protocol, which is not known to the server being tested. Servers reject all the SNI-less connections quite often, so probably you’ll have to probe an another resource to come to a definite conclusion. I’d recommend adding a ‘-debug’ parameter to the command line mentioned in the SO answer.	2021-11-04T13:13:36.749Z
ValdikSS	critical_error: It’s also dirty, because an openssl s_client/openssl s_server pair talks it’s own protocol, which is not known to the server being tested. What do you mean? s_client is a regular TLS connection, nothing more. Example $ (echo -ne "GET / HTTP/1.1\r\nHost: yandex.ru\r\n\r\n"; sleep 3) \| openssl s_client -connect yandex.ru:443 CONNECTED(00000003) depth=2 C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA verify return:1 depth=1 C = RU, O = Yandex LLC, OU = Yandex Certification Authority, CN = Yandex CA verify return:1 depth=0 C = RU, L = Moscow, OU = ITO, O = Yandex LLC, CN = yandex.ru verify return:1 --- Certificate chain 0 s:C = RU, L = Moscow, OU = ITO, O = Yandex LLC, CN = yandex.ru i:C = RU, O = Yandex LLC, OU = Yandex Certification Authority, CN = Yandex CA 1 s:C = RU, O = Yandex LLC, OU = Yandex Certification Authority, CN = Yandex CA i:C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA 2 s:C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA i:C = PL, O = Unizeto Sp. z o.o., CN = Certum CA --- Server certificate -----BEGIN CERTIFICATE----- MIIIozCCB4ugAwIBAgIQI+zI37IaBcnHK05XQ4cS1zANBgkqhkiG9w0BAQsFADBf MQswCQYDVQQGEwJSVTETMBEGA1UEChMKWWFuZGV4IExMQzEnMCUGA1UECxMeWWFu ZGV4IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQDEwlZYW5kZXggQ0Ew HhcNMjEwODMwMTQyMTU5WhcNMjIwMjI4MDAwMDAwWjBVMQswCQYDVQQGEwJSVTEP MA0GA1UEBwwGTW9zY293MQwwCgYDVQQLDANJVE8xEzARBgNVBAoMCllhbmRleCBM TEMxEjAQBgNVBAMMCXlhbmRleC5ydTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA BPXbn2MaxSzpkdTNPqpGMA4RWtw+v66S91GuZq7hDviCr3cnb7dXHNoY1/weJaWP +bgGMtqsppVannS2jqNH20mjggYuMIIGKjAMBgNVHRMBAf8EAjAAMGkGA1UdHwRi MGAwL6AtoCuGKWh0dHA6Ly9jcmxzLnlhbmRleC5uZXQvY2VydHVtL3ljYXNoYTIu Y3JsMC2gK6AphidodHRwOi8veWFuZGV4LmNybC5jZXJ0dW0ucGwveWNhc2hhMi5j cmwwcQYIKwYBBQUHAQEEZTBjMCwGCCsGAQUFBzABhiBodHRwOi8veWFuZGV4Lm9j c3AtcmVzcG9uZGVyLmNvbTAzBggrBgEFBQcwAoYnaHR0cDovL3JlcG9zaXRvcnku Y2VydHVtLnBsL3ljYXNoYTIuY2VyMB8GA1UdIwQYMBaAFDdc4xngso6hqE7Sz6vQ 3OMLXDVNMB0GA1UdDgQWBBQcg2nJ+yIj2TfUK4f2SeUmYoXvaTBMBgNVHSAERTBD MAgGBmeBDAECAjA3BgwqhGgBhvZ3AgUBCgIwJzAlBggrBgEFBQcCARYZaHR0cHM6 Ly93d3cuY2VydHVtLnBsL0NQUzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH AwIwDgYDVR0PAQH/BAQDAgeAMIIC+wYDVR0RBIIC8jCCAu6CCXlhbmRleC5ydYIK eWFuZGV4Lm5ldIILeWFuZGV4LmFlcm+CFnhuLS1kMWFjcGp4M2YueG4tLXAxYWmC DXlhbmRleC5jb20ucnWCCXlhbmRleC5kZYINeWFuZGV4LmNvbS51YYIPKi55YW5k ZXguY29tLnRyggl5YW5kZXguYnmCCnlhbmRleC5vcmeCCXlhbmRleC5lZYIJeWFu ZGV4LnRqggsqLnlhbmRleC51eoILKi55YW5kZXgubHaCCXlhbmRleC5reoILKi55 YW5kZXguZnKCCXlhbmRleC5sdIIPKi55YW5kZXguY29tLnVhggsqLnlhbmRleC51 YYINKi55YW5kZXguam9ic4IMeWFuZGV4LmNvLmlsgg15YW5kZXguY29tLmFtgg15 YW5kZXguY29tLnRyggV5YS5ydYIJeWFuZGV4LmF6ggsqLnlhbmRleC50bYIJeWFu ZGV4Lmtnggl5YW5kZXgubWSCDCoueWFuZGV4Lm5ldIIMKi55YW5kZXgub3Jnggl5 YW5kZXguZnKCCyoueWFuZGV4LmRlghgqLnhuLS1kMWFjcGp4M2YueG4tLXAxYWmC CyoueWFuZGV4LmJ5ggcqLnlhLnJ1gg8qLnlhbmRleC5jb20uZ2WCDXlhbmRleC5j b20uZ2WCCXlhbmRleC51YYILKi55YW5kZXgudGqCCyoueWFuZGV4LmVlggsqLnlh bmRleC5sdIIJeWFuZGV4LnRtggl5YW5kZXgudXqCCyoueWFuZGV4LmF6ggt5YW5k ZXguam9ic4ILKi55YW5kZXgucnWCCXlhbmRleC5sdoILKi55YW5kZXgubWSCDCou eWFuZGV4LmNvbYILKi55YW5kZXgua3qCCnlhbmRleC5jb22CDyoueWFuZGV4LmNv bS5ydYIOKi55YW5kZXguY28uaWyCCyoueWFuZGV4Lmtngg0qLnlhbmRleC5hZXJv gg8qLnlhbmRleC5jb20uYW0wggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB1AG9T dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABe5drp7UAAAQDAEYwRAIg QT250o43qTQ82/FcaUeiqT/cNr+lwm/YNCatXOiiPbwCIA2pgTN9PZ1dYqHzsJfu 2jHOeMoNJhZfg2neFMnZ1H2rAHYARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy /HD+bUcAAAF7l2untAAABAMARzBFAiEA8/1KXVBK4k7jpfIJJWXa3at+Br/fhtGl qfwReQrYEkQCICQIipOhWcfsFn1luHLs3uuZ5Y2xZC1ED21Z5Rnl/E7oAHcAVYHU whaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAF7l2un3AAABAMASDBGAiEA 3haQavO9xagPVJDZmfpXAUxEmrFOnKFTjWusBUcqtZQCIQCH6IlPb+sBlUZPmHnh 2zRxGWidCklmfC4K3MpziH/PqTANBgkqhkiG9w0BAQsFAAOCAQEAbIUAxjezMTPB mgFTpR5JpoEABqZEif1O4dqlDArGBkXJ9x0fLwjmYFvG/PgIoPaI0dm/UWP2rrxo xwU57I2c/zVxxwOUwnNsZVv5RtiYePTNtbdOsMWTKMyPTXVGy4fvndAdS3Cg9sqn vmqebO75hx0/L6upg3Aojf9XaQNA3Iucmb3zXMiUB3PQQccyVxyRqXFIlB6Q8uGG F3pyYuidqa3jU+ToWrCO7lD+brkFPCDC+/EALw6AfrrsLa3uDWU6b2G4x0MQrOTI vd9460f1nmW3d8LXdcc1Y7ai8RcMEtdV5qHXj8jz2mhWR1OgUnTH35G2vtjLR1sG eX4RWZWlWQ== -----END CERTIFICATE----- subject=C = RU, L = Moscow, OU = ITO, O = Yandex LLC, CN = yandex.ru issuer=C = RU, O = Yandex LLC, OU = Yandex Certification Authority, CN = Yandex CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 5000 bytes and written 391 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 9185FFB53311D846CB76EDA755A115431B800EA7D86308E15BA99F9E71E26B37 Session-ID-ctx: Resumption PSK: 831D819F1E2AE84E302FAEE7B02B5A6C80820D35313371A33FAE5905BA0EFD18462F367F39A39311FECBAC82A443A7E4 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 17 31 08 61 a6 42 6c a3-26 c7 0e 6b 5a 96 33 d1 .1.a.Bl.&..kZ.3. 0010 - e0 e1 a1 66 fd 25 82 93-8f 97 5d c0 cd 7e 3a b8 ...f.%....]..~:. 0020 - 0e d1 c6 8f aa 9d 24 69-59 eb 75 47 4f 0b 2a 61 ......$iY.uGO.a 0030 - ee 99 85 bd d6 47 f3 7f-c9 cb 2c 87 1f 84 92 76 .....G....,....v 0040 - 1a c8 7b d2 5e cd 34 11-cb 0f a2 cf 45 0f a6 c7 ..{.^.4.....E... 0050 - de 09 9a b6 8d d0 57 9a-ec 0e cd 13 70 e2 63 95 ......W.....p.c. 0060 - fd df 4e 2f 39 fb 4d cc-d7 b2 c2 ce b8 bc 4a 58 ..N/9.M.......JX 0070 - f1 12 8b 5f 43 b3 f2 57-0d bb 2b 8b ad 19 48 c1 ..._C..W..+...H. 0080 - 41 5e 6f 3d c2 ff 80 39-09 36 38 bb 86 6f 58 52 A^o=...9.68..oXR 0090 - b1 f4 4b 8c 9b e9 d6 49-41 6a d4 a9 58 d8 e9 31 ..K....IAj..X..1 00a0 - 0c 0f 8e 58 ef a7 93 8e-49 5d 35 ff 97 d4 12 36 ...X....I]5....6 00b0 - d2 bb cf a5 ac 32 80 57-02 00 c1 6b 13 aa 10 ee .....2.W...k.... Start Time: 1636032058 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 939BA184F96D08DC33E2236E7AC76ADF3D9F440792E235C1C9E93F7B3980D639 Session-ID-ctx: Resumption PSK: C5282598982E929C3587169A663817F417B3B0CDD07B0D18CFD92B461F33A7877EA0FCAFCDF9C64B7A52CB355BB7F4DE PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 17 31 08 61 a6 42 6c a3-26 c7 0e 6b 5a 96 33 d1 .1.a.Bl.&..kZ.3. 0010 - 11 5c 6d 07 e3 27 c0 98-9e cb e6 57 24 d0 1a 81 .\m..'.....W$... 0020 - ea 47 79 65 8f ff 07 97-fc ab bb 75 b5 68 30 1e .Gye.......u.h0. 0030 - 5d ee 90 aa 70 d8 16 a3-fa 9c aa 10 ee 47 27 b3 ]...p........G'. 0040 - 93 46 a5 a8 a3 40 4f 5e-df 54 53 7f a3 a9 19 83 .F...@O^.TS..... 0050 - 96 80 58 64 2a 7a c3 28-43 d4 56 ef e3 62 b4 8f ..Xdz.(C.V..b.. 0060 - 20 bb 91 3b 65 7f 35 94-67 82 36 7e f4 92 42 3d ..;e.5.g.6~..B= 0070 - 82 61 e8 b1 c6 64 ee 17-24 4b ad 78 89 b9 e1 f8 .a...d..$K.x.... 0080 - 69 d7 08 0a 71 64 0a d6-95 91 10 ba 51 6c af ac i...qd......Ql.. 0090 - 1b 59 8d ae 4d d0 49 d8-51 ef 92 e1 d6 aa b4 dc .Y..M.I.Q....... 00a0 - af 9a ba a7 67 c8 42 c4-f5 ae f0 1d 79 87 68 88 ....g.B.....y.h. 00b0 - 91 b5 80 19 20 86 59 b9-66 30 08 d4 8b e1 b0 5c .... .Y.f0.....\ Start Time: 1636032058 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK HTTP/1.1 200 Ok Accept-CH: Viewport-Width, DPR, Device-Memory, RTT, Downlink, ECT Accept-CH-Lifetime: 31536000 Cache-Control: no-cache,no-store,max-age=0,must-revalidate ...	2021-11-04T13:22:45.115Z
critical_error	Of course, you are right. One can check TLS connection establishment using openssl s_client. But after the connection establishment s_client makes a special request to s_server. A server being tested most probably doesn’t await it.	2021-11-04T13:26:57.082Z
ValdikSS	I was not aware of that, will take a look. Check the following: HTTP headers/TLS padding as a censorship circumvention method - #2 by ValdikSS	2021-11-04T13:28:47.747Z
critical_error	To my shame, there is no special magic between an openssl s_server and an openssl s_client. Without an ‘-www’ option openssl s_server talks a trivial protocol. ’ If a connection request is established with an SSL client and neither the -www nor the -WWW option has been used then normally any data received from the client is displayed and any key presses will be sent to the client.’ Simple hacks with GET requests are possible.	2021-11-04T14:18:29.796Z
critical_error	So openssl s_client -quiet is a fast and smart way to check whether a SNI-less connection is available to some blocked resource.	2021-11-04T14:27:46.518Z