erebe
Error while upgrading cnx to http
Describe the goal
ws server is the same on both env. Connect wstunnel thru a proxy chains
- in a TEST environment, it works [wstunnel client]-> local http proxy -> remote http proxy -> remote socks5 proxy -> remote http proxy -> wstunnel server
- in a PROD environment, quite same chaining, got an error π€π€π€
Testing with a simple curl -kL https://url -x socks5h://wstunnel_ip:socks5_ip ,
- in TEST works perfect
- in PROD i got errors
Error while upgrading cnx to httpπ₯²
Describe what does not work
Client side i have no errors, apparently, wstunnel starts and starts listening at its socks5. Server side i got a strange error,
ERROR cnx{peer="1.2.3.4:31734"}: wstunnel::tunnel::server::server: Error while upgrading cnx to http: hyper::Error(Io, Custom { kind: UnexpectedEof, error: "connection closed before reading preface" })
Maybe production http proxy filter and alter https/ws packets? π₯²
Describe your wstunnel setup
server wss://local_ip:443 --tls-certificate \path_to\fullchain.pem --tls-private-key \path_to\privkey.pem --restrict-http-upgrade-path-prefix my_private_prefix --remote-to-local-server-idle-timeout 30m --websocket-ping-frequency-sec 600 --log-lvl DEBUG
INFO cnx{peer="1.2.3.4:31734"}: wstunnel::tunnel::server::server: Accepting connection
INFO cnx{peer="1.2.3.4:31734"}: wstunnel::tunnel::server::server: Doing TLS handshake
DEBUG cnx{peer="1.2.3.4:31734"}: rustls::server::hs: decided upon suite TLS13_AES_256_GCM_SHA384
DEBUG cnx{peer="1.2.3.4:31734"}: rustls::server::hs: Chosen ALPN protocol [104, 50]
ERROR cnx{peer="1.2.3.4:31734"}: wstunnel::tunnel::server::server: Error while upgrading cnx to http: hyper::Error(Io, Custom { kind: UnexpectedEof, error: "connection closed before reading preface" })
Desktop (please complete the following information):
Chaining many OS ==> Linux (Ubuntu / Debian / Alma) and also Windows
Are you starting your wstunnel client to use http2 ?
Because the server see an incoming TLS connection with Chosen ALPN protocol [104, 50] which means h2 (http2).
While for websocket the ALPN should be http/1.1
You can use TRACE log level on the server to get more info.
I'll try tracing π
But i think it's the production proxy (it has also a firewall onboard!) which filters or alters the TLS communication with the ws server, and so the connection is for some networking reason not going well.
Considering the test proxy has no filters/firewall and it's full open, and ws client connects well π€·ββοΈ
PS. how can i force not using HTTP2? Can't see parameters client side π€π€π€
Attached a clean session with a single curl get. (hoping have removed all sensible data πππ)
[cut]
Ha it seems you start your client with http2 as transport protocol
wstunnel client -L socks5://127.0.0.1:1080 --connection-min-idle 0 --tls-sni-override my.domain.com --http-upgrade-path-prefix my_path https://my.domain.com:443 --tls-certificate /etc/certs/fullchain.pem --tls-private-key /etc/certs/privkey.pem --tls-verify-certificate -p proxy:port --log-lvl TRACE
https://my.domain.com:443
to use websocket as transport, you need to change it to
wss://my.domain.com:443
It should work better after that
Gosh! You're perfect right. Didn't noticed i started remote to https π€¦ββοΈforce of habit π
I'll try again soon with remote wss:// .
But i really think the proxy/firewall has something which changes headers/packets π₯²
Thanks πππ
Surely production proxy/fw is filtering πππ
TEST PROXY == OK == tunnel & next curl went ok
PROD PROXY == KO == alpn: None / DEBUG cnx{peer="my_remote_ip:32094"}: rustls::common_state: Sending warning alert CloseNotify
[cut]
I'll find another way to connect the tunnel π€·ββοΈ
Indeed that's strange, it seems you never receive data server side. To investigate more, I would need a network capture.
export SSLKEYLOGFILE=/tmp/tls_keys.txt
wstunnel server ... wss://local_ip:443
# in another terminal
sudo tcpdump -i any port 443 -w capture.pcap -s 65535
and you can send me the /tmp/tls_keys.txt and capture.pcap files for a ko request
Not so strange. Prod Proxy (HTTPS) and its firewall has many professional filters and tls inspectors. Surely it changes the packets flow so ws can't understand what's going on π€·ββοΈπ€·ββοΈπ€·ββοΈ
wstunnel works perfect, it's proxy who alters its flow π₯²
Don't mind about it. Eventually i'll send the tcpdump, in other case ok so π€·ββοΈ
@verbal666 @erebe You can try use a public CA like letsencrypt. Some firewall block selfsigned cert or some specific SNI. If public CA is not work, you can try selfsigned a cert that SNI is localhost. Good luck
Hi. Still have my certs signed with Let'sEncrypt π I manage 3 domains, all with L/E signed certs. My HTTPS proxy blocks all not signed certs by years. I can with no problems navigate all my webservers thru HTTPS proxy, so it does not blocks HTTPS/TLS negotiate.
HTTPS proxy has many many professional filters and also provides its certs for authentication, so it changes original certs with its own... so, something in the middle [proxy] (also seeing what i'm doing π€) broke the connection.
Thanks.
I also tried a session with stunnel, which works more less like yours, perfect on any of my clients, both Linux and Windows, and thru that proxy it does not work. The proxy/firewall filters all data and breaks any not HTTP traffic. Probably a very deep DPI interrupts all traffic! π€·ββοΈLe roi est mort, vive le roi!!! π€·ββοΈπ€·ββοΈ
PS. can't use redsocks or shadowsocks or similar, since connection to public ip:port is denied π
That's sad, maybe your proxy forbid completely websocket. You can give a try by visiting this website https://websocketstest.com/
Out of curiosity, in which kind of environment are you working in to have such strong firewall ?
Yes, not properly sad πbut frustrating. Can't talk much π€but it's a very strong fw/av, our Company migrated the previous proxy to an external service provider, and they invest much on security (correctly!!! π), but censorship policy is very very frustrating!!! We -developers- can't neither download apache/tomcat/tools or others bins/sources from the inet, since 1) or target is denied (access is blocked) 2) or target starts downloading and then proxy cuts and truncate the final download file to 10%, responding 200, giving a corrupted file π₯²π₯²π₯²π 3) any "strange" CONNECT is monitored and a notification runs on every event of such type π€¦ββοΈπ€¦ββοΈπ€¦ββοΈ
Just to understand,
On the TCP Listener (Port 443), a Client (IP address 1.2.3.4, Host name "1.2.3.4", Port number 47078) has connected.
For the client (IP address: 1.2.3.4, host name: "1.2.3.4", port number: 47078), connection "CID-1-9EDE0C5552" has been created.
SSL communication for connection "CID-1-9EDE0C5552" has been started. The encryption algorithm name is "TLS_AES_256_GCM_SHA384".
Connection "CID-1-9EDE0C5552" terminated by the cause "A client which is non-SoftEther VPN software has connected to the port." (code 5).
Connection "CID-1-9EDE0C5552" has been terminated.
The connection with the client (IP address 1.2.3.4, Port number 47078) has been disconnected.
With same identical config i can connect both to wstunnel and to my vpn outside that proxy/fw/av π€·ββοΈ
So, HAIL TO THE KING π€·ββοΈπ€·ββοΈπ€·ββοΈπ€
π€·ββοΈ
Anyway, just to let you know π₯²π₯²π₯²
WebSockets seem to
Not Work for you :(
Environment
WebSockets supported YES
HTTP Proxy NO
WebSockets (Port 443, SSL)
Connected No β
π€·ββοΈπ€·ββοΈπ€·ββοΈ