bbs icon indicating copy to clipboard operation
bbs copied to clipboard
verified publisher icon net4people

[China] education net seems to block tls record layer fragment (with tcp segment)

Open maoist2009 opened this issue 4 weeks ago • 12 comments

As provided. I don't count how many reset packets I get.

This techinique is widely used in using proxies build with worker with regionaly blocked domain wokers.dev/pages.dev.

maoist2009 avatar Dec 02 '25 10:12 maoist2009

Have you tried decreasing the length of the first TLS record ( e.g. length = 1 )? Did CERNET route some traffic through China Telecom's autonomous systems?

Lanius-collaris avatar Dec 02 '25 21:12 Lanius-collaris

Have you tried decreasing the length of the first TLS record ( e.g. length = 1 )? Did CERNET route some traffic through China Telecom's autonomous systems?

useless as it used to be when only tcp frag last year. any bigger interval or more fragments is useless. must be something stateful.

As I know, the China Mobie apply the chage too.

maoist2009 avatar Dec 04 '25 08:12 maoist2009

you could try to use both TCP segmentation and TLS fragmentation at the same time. Could work... especially when the fragments dont align

JonSnowWhite avatar Dec 04 '25 08:12 JonSnowWhite

you could try to use both TCP segmentation and TLS fragmentation at the same time. Could work... especially when the fragments dont align

No, never work on education net.

maoist2009 avatar Dec 04 '25 08:12 maoist2009

you could try to use both TCP segmentation and TLS fragmentation at the same time. Could work... especially when the fragments dont align

I guess it is something with full TCP TLS stack. I don't know whether it will deploy to the whole net.

maoist2009 avatar Dec 04 '25 08:12 maoist2009

That's worrisome. I hope to monitor it somewhat for the rest of the GFW.

JonSnowWhite avatar Dec 04 '25 09:12 JonSnowWhite

Today I split the first TLS record into 400 TLS records, still got reset. ( in AS56040 )

Lanius-collaris avatar Dec 04 '25 09:12 Lanius-collaris

Just verified that the three TLS injectors (TCP RST) of the GFW and the one in Henan still cannot reassemble TLS records. I'll keep checking, but as for now, that new behavior seems limited to the education net

JonSnowWhite avatar Dec 04 '25 10:12 JonSnowWhite

Two PCAP files for collecting the fingerprints of the middleboxes: brookings.edu-1.pcap.zip signal.org-IPv6.pcap.zip

Lanius-collaris avatar Dec 04 '25 10:12 Lanius-collaris

Today I split the first TLS record into 400 TLS records, still got reset. ( in AS56040 )

看一下matrix.。我有事找你

Take a look at matrix. I have something to search for you.

maoist2009 avatar Dec 05 '25 10:12 maoist2009

Strangely, gfw cannot deal with fragments with oob data. I've reported it to gfw.report.

maoist2009 avatar Dec 06 '25 11:12 maoist2009

Just verified that the three TLS injectors (TCP RST) of the GFW and the one in Henan still cannot reassemble TLS records. I'll keep checking, but as for now, that new behavior seems limited to the education net

As reported by my users or collabrators, the change has been adopted and has influenced the whole country. I guess it is at the gateway. but I don't measure.

maoist2009 avatar Dec 06 '25 11:12 maoist2009