Opened 20 months ago

Closed 7 weeks ago

#18654 closed enhancement (fixed)

Use TLS WebSockets (wss://) for proxy-to-server communication

Reported by: dcf Owned by:
Priority: High Milestone:
Component: Obfuscation/Snowflake Version:
Severity: Normal Keywords: snowflake, cupcake
Cc: serene Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We might as well use secure WebSockets (wss://) instead of plain WebSockets (ws://).

For this, the server plugin needs TLS support. It can probably be cribbed from meek-server, which defaults to TLS.

I started a thread asking for brainstorming on how to easily used Let's Encrypt with a specialized HTTP server like out server plugins.

Child Tickets

Attachments (1)

snowflake-letsencrypt.0.patch (11.0 KB) - added by dcf 10 months ago.

Download all attachments as: .zip

Change History (11)

comment:1 Changed 16 months ago by serene

Cc: serene added

Been updating a few things on my end -- when I visit keroserene.net/snowflake with https, snowflake doesn't work due to the lack of wss from proxy to server. While it's trivial to set the proxy javascript to use wss, we still also need to get the server plugin to accept that. How much time would it take to get TLS support on the server plugin?

comment:2 in reply to:  1 Changed 16 months ago by dcf

Replying to serene:

Been updating a few things on my end -- when I visit keroserene.net/snowflake with https, snowflake doesn't work due to the lack of wss from proxy to server. While it's trivial to set the proxy javascript to use wss, we still also need to get the server plugin to accept that. How much time would it take to get TLS support on the server plugin?

It's probably not too bad. This is the source file:
https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/server/server.go

You can probably copy the startListenerTLS and listenTLS functions from meek-server:
https://gitweb.torproject.org/pluggable-transports/meek.git/tree/meek-server/meek-server.go?id=edc089e5af06eebf6a5b1d84d278082746a22c48#n306

comment:3 Changed 16 months ago by dcf

And then of course we'll have to get a certificate and put a domain name for the bridge in the proxy rather than an IP address.

comment:4 Changed 11 months ago by serene

Keywords: snowflake cupcake added
Priority: LowHigh

Increasing priority on this now because of imminent snowflake alpha -- we need to increase the capacity of the snowflake network, and this would have a huge impact on distribution of snowflake proxies. We should definitely not be limited to plain http sites, especially once cupcake+snowflake is happening. Will try to find more time and/or help on this soon.

Changed 10 months ago by dcf

comment:6 Changed 10 months ago by dcf

Status: newneeds_review

I have some code for automatic TLS on the websocket server. I just asked for a personal repo to host it in #21276, but in the meantime here's a patch:

attachment:snowflake-letsencrypt.0.patch

It's using the acme/autocert package. This integrates with the Config.GetCertificate callback to fetch a new certificate on demand. The basic idea comes from a patch gtank made for meek-server in comment:8:ticket:18655. Basically, now, instead of using --tls-cert and --tls-key options, you use --acme-hostnames specifying the hostnames that can appear on the certificate. One surprise is that if you are not already listening on port 443, the program will open an additional listener on 443, because that's the only port the ACME spec allows.

I have the code as of 138d2b5391 running at wss://snowflake.bamsoftware.com:443. It is a dedicated machine I just set up for the purpose. I made the necessary changes to the proxy code to use this wss bridge. We can add additional hostnames, too, to avoid relying solely on bamsoftware.com DNS: you just have to make a new DNS name (e.g. snowflake.keroserene.net), point it at the same server, and then add an additional --acme-hostname option to the ServerTransportPlugin command in torrc.

comment:8 Changed 8 months ago by dcf

I merged the letsencrypt branch in 61b604fc46df7e43d8a6069e7c6c00204d46665d.

comment:9 Changed 7 months ago by dcf

I think all the necessary TLS parts are in place now, and the badge is now using TLS websockets by default.

serene, could you change the badge code at https://keroserene.net/snowflake/ to use an https link for keroserene.net/snowflake/embed.html? I think that's the last thing required.

comment:10 in reply to:  9 Changed 7 weeks ago by dcf

Resolution: fixed
Status: needs_reviewclosed

Replying to dcf:

I think all the necessary TLS parts are in place now, and the badge is now using TLS websockets by default.

serene, could you change the badge code at https://keroserene.net/snowflake/ to use an https link for keroserene.net/snowflake/embed.html? I think that's the last thing required.

Serene updated the links to use https.

Note: See TracTickets for help on using tickets.