GFW的确存在某种形式的数据报文长度检查 / The GFW does indeed perform some form of data packet length checking

[ThEWiZaRd0fBsoD]

地理位置：中国河南省安阳市。 运营商：中国联通。

复现方法： 将Cloak的连接复用NumConn设置为0（禁用连接复用）后，Tor无法通过Cloak保护的代理连接到Tor网络。

但一旦打开Cloak的连接复用（哪怕NumConn设置为2），Tor依然可以通过Cloak保护的代理连接到Tor网络。

分享的目的： GFW被认为存在数据包长度检查多年，但都是缺乏直观体现的案例，且缺少可以准确复现的情况。

这能从直观的角度证实数据包长度检查的存在（Tor是一种使用TLS 1.3传输的软件）。

也能直观的解释你的代理到底是哪里出了问题被拉黑，说的就是那群懒得开mux（多路复用/连接复用）的人。 （我知道使用Fake TLS类代理测试并不“标准”，但GFW似乎照常对其进行了TLS in TLS检测并识别出来了这是Tor）。

没有截图，但是有视频： https://youtu.be/6zwcvxelgPk

---

Location: Anyang City, Henan Province, China. Operator: China Unicom.

Reproduction method: After setting the connection reuse NumConn of Cloak to 0 (disable connection reuse), Tor cannot connect to the Tor network through the proxy protected by Cloak.

However, once connection reuse is enabled for Cloak (even if NumConn is set to 2), Tor can still connect to the Tor network via the Cloak-protected proxy.

Purpose of sharing: The Great Firewall (GFW) has been suspected of performing packet length checks for years, but there have been no cases with intuitive evidence, and no scenarios that can be accurately reproduced.

This provides intuitive evidence of packet length checks (Tor is a an example of software that uses TLS 1.3 for transmission).

It also provides an intuitive explanation of where your proxy went wrong and got blacklisted, specifically those who are too lazy to enable mux (multiplexing/connection reuse). (I know using Fake TLS-type proxies for testing isn't “standard,” but the GFW seems to have detected and identified it as Tor despite the TLS-in-TLS setup.)

No screenshots, but there's a video: https://youtu.be/6zwcvxelgPk

[UjuiUjuMandan]

Can you confirm it's the Great Firewall but not Cloak's own problem? Like by connecting to Tor using a Cloak client at the same Cloak server?

	if raw.NumConn <= 0 {
		remote.NumConn = 1
		remote.Singleplex = true
	} else {
		remote.NumConn = raw.NumConn
		remote.Singleplex = false
	}

NumConn is the amount of underlying TCP connections you want to use. The default of 4 should be appropriate for most people. Setting it too high will hinder the performance. Setting it to 0 will disable connection multiplexing and each TCP connection will spawn a separate short-lived session that will be closed after it is terminated. This makes it behave like GoQuiet. This maybe useful for people with unstable connections.

I doubt that the Tor client does need to maintain multiple sessions. Can you set NumConn to 1 and check again?

[ThEWiZaRd0fBsoD]

Can you confirm it's the Great Firewall but not Cloak's own problem? Like by connecting to Tor using a Cloak client at the same Cloak server?

if raw.NumConn <= 0 { remote.NumConn = 1 remote.Singleplex = true } else { remote.NumConn = raw.NumConn remote.Singleplex = false }

NumConn is the amount of underlying TCP connections you want to use. The default of 4 should be appropriate for most people. Setting it too high will hinder the performance. Setting it to 0 will disable connection multiplexing and each TCP connection will spawn a separate short-lived session that will be closed after it is terminated. This makes it behave like GoQuiet. This maybe useful for people with unstable connections.

I doubt that the Tor client does need to maintain multiple sessions. Can you set NumConn to 1 and check again?

Now I'm having some doubts.

After setting NumConn to 1, Tor can connect to the network. However, strangely, after I got up and restarted my network equipment (router, ONT), Tor can connect to the network even when NumConn is set to 0.

Cloak version is 2.11.

[ghost]

法轮功的自由门和无界浏览很可能已经支持后量子算法，在用他们的工具时我看到数据包长度，再看HQC和Kyber的公钥尺寸和密文尺寸；HQC（基于Code纠错码的），公钥尺寸7245字节，无界浏览在握手时一次性也要6到7字节，Kyber（基于Lattice的后量子算法）公钥尺寸1568字节；Lattice也是专家比较关注的数学问题，也有希望抵抗量子计算机。所以我看自由门和无界浏览在跟服务器握手时的包长度，猜测法轮功学员开发的翻墙软件支持后量子算法；倘若直连连不上的话（因为GFW是严格封杀法轮功的），可以给无界浏览配置前置代理，前置代理用V2Ray或Clash都行，应该就能连接无界浏览了。最后你可以在这里 https://www.falsefire.com/zh 看见2001年事件的真相。

FaLunGong's Freegate and UltraSurf is very probably using post-quantum algorithms, I saw the packet length when using their tools, then see the public key size and ciphertext size of HQC and Kyber; for HQC (which is Code-based), the public key size is 7245-byte, Ultrasurf needs about 6 or 7 bytes a packet when handshaking; for Kyber (which is Lattice-based), the public key size is 1568-byte; Lattice is also a mathematical problem that researchers noticed, also hopeful to mitigate quantum computing. So as I saw the packet lengths when Freegate and Ultrasurf handshaking with the servers, I guess the censorship circumvention tool made by FaLun Gong practitioners support post-quantum algorithm. If directly connecting to Freegate or Ultrasurf fails (since GFW strictly blocks FaLun Gong), you can use forward proxy for Ultrasurf, either V2Ray or Clash can be the forward proxy, so Ultrasurf may successfully connect. Finally you can see the truth of the case happened in 2001 here https://www.falsefire.com/en

[ghost]

Yes, post-quantum cryptography is important for Chinese people, please don't dislike the comment above. On the other hand, if you prohibit the spreading of FaLun Gong tools, I will spread any other tools (although not made by FaLun Gong) that support post-quantum cryptography, e.,g Mullvad VPN announced that Mullvad supports Kyber algorithm.

[ghost]

Since this repository owner also imposes strict censorship, you can go to another repository https://github.com/cirosantilli/china-dictatorship/issues