From ded509e5fa532f805b08778ee5d5317d161b5803 Mon Sep 17 00:00:00 2001 From: Rod Hynes Date: Tue, 12 Nov 2024 10:44:02 -0500 Subject: [PATCH 1/3] Log proxy announce delay in readable format --- psiphon/common/inproxy/proxy.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/psiphon/common/inproxy/proxy.go b/psiphon/common/inproxy/proxy.go index 317c189e8..3a6427fe7 100644 --- a/psiphon/common/inproxy/proxy.go +++ b/psiphon/common/inproxy/proxy.go @@ -428,7 +428,7 @@ func (p *Proxy) proxyClients( p.config.Logger.WithTraceFields( common.LogFields{ "error": errMsg, - "delay": delay, + "delay": delay.String(), "jitter": jitter, }).Error("proxy client failed") logErrorsCount -= 1 From d95a00398dd825a94682a7f5d1dd66d22783816f Mon Sep 17 00:00:00 2001 From: Rod Hynes Date: Tue, 12 Nov 2024 11:01:52 -0500 Subject: [PATCH 2/3] Fix comment typo --- psiphon/common/inproxy/brokerClient.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/psiphon/common/inproxy/brokerClient.go b/psiphon/common/inproxy/brokerClient.go index 8d3dd85f1..79f98af16 100644 --- a/psiphon/common/inproxy/brokerClient.go +++ b/psiphon/common/inproxy/brokerClient.go @@ -75,7 +75,7 @@ type BrokerClient struct { func NewBrokerClient(coordinator BrokerDialCoordinator) (*BrokerClient, error) { // A client is expected to use an ephemeral key, and can return a - // zero-value private key. Each proxy should use a peristent key, as the + // zero-value private key. Each proxy should use a persistent key, as the // corresponding public key is the proxy ID, which is used to credit the // proxy for its service. From eabb3d0a1b11d6231bd2d0d0a8bb0c1d855d45b0 Mon Sep 17 00:00:00 2001 From: Rod Hynes Date: Tue, 12 Nov 2024 14:19:16 -0500 Subject: [PATCH 3/3] Fix to avoid incompatible randomized DTLS ClientHello --- replace/dtls/flight1handler.go | 27 +++++++++++++++++++ .../github.com/pion/dtls/v2/flight1handler.go | 27 +++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/replace/dtls/flight1handler.go b/replace/dtls/flight1handler.go index 90aa5e718..692578fb8 100644 --- a/replace/dtls/flight1handler.go +++ b/replace/dtls/flight1handler.go @@ -160,6 +160,33 @@ func flight1Generate(ctx context.Context, c flightConn, state *State, _ *handsha }) cipherSuites = cipherSuites[:cut(len(cipherSuites))] + // At least one ECC cipher suite needs to be retained for compatibilty + // with the server's ECC certificate. Select from the ECC cipher suites + // currently returned by defaultCipherSuites. + + eccCipherSuites := []uint16{ + uint16(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), + uint16(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), + uint16(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), + } + hasECC := false + checkECCLoop: + for _, cipherSuite := range cipherSuites { + for _, eccCipherSuite := range eccCipherSuites { + if cipherSuite == eccCipherSuite { + hasECC = true + break checkECCLoop + } + } + } + if !hasECC { + eccCipherSuite := eccCipherSuites[PRNG.Intn(len(eccCipherSuites))] + cipherSuites = append(cipherSuites, eccCipherSuite) + PRNG.Shuffle(len(cipherSuites), func(i, j int) { + cipherSuites[i], cipherSuites[j] = cipherSuites[j], cipherSuites[i] + }) + } + for _, ext := range extensions { switch e := ext.(type) { case *extension.SupportedSignatureAlgorithms: diff --git a/vendor/github.com/pion/dtls/v2/flight1handler.go b/vendor/github.com/pion/dtls/v2/flight1handler.go index 90aa5e718..692578fb8 100644 --- a/vendor/github.com/pion/dtls/v2/flight1handler.go +++ b/vendor/github.com/pion/dtls/v2/flight1handler.go @@ -160,6 +160,33 @@ func flight1Generate(ctx context.Context, c flightConn, state *State, _ *handsha }) cipherSuites = cipherSuites[:cut(len(cipherSuites))] + // At least one ECC cipher suite needs to be retained for compatibilty + // with the server's ECC certificate. Select from the ECC cipher suites + // currently returned by defaultCipherSuites. + + eccCipherSuites := []uint16{ + uint16(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), + uint16(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA), + uint16(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), + } + hasECC := false + checkECCLoop: + for _, cipherSuite := range cipherSuites { + for _, eccCipherSuite := range eccCipherSuites { + if cipherSuite == eccCipherSuite { + hasECC = true + break checkECCLoop + } + } + } + if !hasECC { + eccCipherSuite := eccCipherSuites[PRNG.Intn(len(eccCipherSuites))] + cipherSuites = append(cipherSuites, eccCipherSuite) + PRNG.Shuffle(len(cipherSuites), func(i, j int) { + cipherSuites[i], cipherSuites[j] = cipherSuites[j], cipherSuites[i] + }) + } + for _, ext := range extensions { switch e := ext.(type) { case *extension.SupportedSignatureAlgorithms: