Opened 2 years ago

Last modified 14 months ago

#14256 new enhancement

Clarify whether Cloudflare's Universal SSL thing works with meek

Reported by: cypherpunks Owned by: dcf
Priority: Medium Milestone:
Component: Obfuscation/meek Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The Meek wiki page has a section on CloudFlare as a possible CDN to use, but seems to have been written before CloudFlare rolled out their Universal SSL free tier.
Would it be possible to have a meek-cloudflare using this Universal SSL thing?

Child Tickets

Change History (5)

comment:1 Changed 2 years ago by dcf

Please give it a try. I think it works. There are some sample Wget commands on the wiki page.

If you're a CloudFlare customer you can easily test it yourself. Set up a new domain with https://meek.bamsoftware.com/ as your origin server. Then try to Wget a different CloudFlare home page with your domain name in the Host header.

I think CloudFlare is a good deployment target. But first we need to find a way to pay for it. It's also a non-negligible amount of maintenance work, each additional backend we deploy. If CloudFlare offers a better value (cheaper or better performance than meek-amazon, for example) then it would make sense to switch to it.

comment:2 follow-up: Changed 19 months ago by benjojo

Recent changes to how CloudFlare validates TLS connections means that this will no longer work.

Host header spoofing does not work for technical reasons on CloudFlare

[ Disclosure: I work for CloudFlare ]

comment:3 in reply to: ↑ 2 Changed 19 months ago by dcf

Replying to benjojo:

Recent changes to how CloudFlare validates TLS connections means that this will no longer work.

Host header spoofing does not work for technical reasons on CloudFlare

[ Disclosure: I work for CloudFlare ]

Thanks for the information. We hadn't yet tried to get CloudFlare working, and knowing this will save some frustration.

If there is a way to restore this characteristic of the infrastructure, consistent with CloudFlare's technical and business constraints, a lot of censored users will appreciate it.

comment:4 follow-up: Changed 14 months ago by abacabadabacaba

  • Severity set to Normal

I did some experiments with CloudFlare, and here are the results:

When using HTTP/1.1, CloudFlare requires SNI hostname to match the value of Host header. If this is violated, HTTP error 403 is returned.

However, when using HTTP/2, the check is less strict. HTTP/2 has a feature where a single connection can be used with multiple host names as long as the TLS certificate presented by the server is valid for all those host names. When using CloudFlare Free SSL, a single certificate is generated for multiple domains, and it is possible to utilize domain fronting as long as both the front and the back domain use the same certificate.

I don't know how they choose which domains share a certificate. Also, these certificates seem to be reissued much more frequently than their validity period might suggest. As a result, domain fronting with CloudFlare is possible, but not very convenient.

Anyway, I registered an address https://meek-reflect.cf/ which you can use for testing. Unfortunately, I don't know any command-line tools that can send HTTP/2 requests, and constructing HTTP/2 requests by hand is not trivial. Still, you can use this command to try the voodoo magic of domain fronting for yourself:

printf 'PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n\0\0\0\4\0\0\0\0\0\0\0\24\1\5\0\0\0\1\202\207\1\17meek-reflect.cf\204' | openssl s_client -quiet -connect spacebitco.in.net:443 -servername spacebitco.in.net -alpn h2

If you see the text I’m just a happy little web server. somewhere in the output, then it worked.

comment:5 in reply to: ↑ 4 Changed 14 months ago by dcf

Replying to abacabadabacaba:

I did some experiments with CloudFlare, and here are the results:

Thanks, good to know. That's a creative approach.

Note: See TracTickets for help on using tickets.