diff --git a/blockcheck.sh b/blockcheck.sh index aa3c241..959cb56 100755 --- a/blockcheck.sh +++ b/blockcheck.sh @@ -131,6 +131,12 @@ check_prerequisites() done } +curl_supports_tls13() +{ + curl --tlsv1.3 -Is -o /dev/null http://$LOCALHOST_IPT:65535 2>/dev/null + # return code 2 = init failed. likely bad command line options + [ $? != 2 ] +} hdrfile_http_code() { @@ -167,13 +173,23 @@ curl_test_http() rm -f "$HDRTEMP" return 0 } -curl_test_https() +curl_test_https_tls12() { # $1 - ip version : 4/6 # $2 - domain name # prevent using QUIC if available in curl - curl -${1}Ss --max-time $CURL_MAX_TIME $CURL_OPT --http1.1 "https://$2" -o /dev/null 2>&1 + # do not use tls 1.3 to make sure server certificate is not encrypted + curl -${1}Ss --max-time $CURL_MAX_TIME $CURL_OPT --http1.1 --tls-max 1.2 "https://$2" -o /dev/null 2>&1 +} +curl_test_https_tls13() +{ + # $1 - ip version : 4/6 + # $2 - domain name + + # prevent using QUIC if available in curl + # force TLS1.3 mode + curl -${1}Ss --max-time $CURL_MAX_TIME $CURL_OPT --http1.1 --tlsv1.3 "https://$2" -o /dev/null 2>&1 } nfqws_ipt_prepare() @@ -208,6 +224,13 @@ tpws_start() # give some time to initialize sleep 1 } +ws_kill() +{ + [ -z "$PID" ] || { + killwait -9 $PID 2>/dev/null + PID= + } +} curl_test() { @@ -239,7 +262,7 @@ ws_curl_test() # let some time for tpws to initialize curl_test $testf $dom code=$? - killwait -9 $PID + ws_kill return $code } tpws_curl_test() @@ -340,6 +363,11 @@ nfqws_check_domain_bypass() done done + [ "$sec" = 1 ] && { + s="--wssize 1:6" + nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}" + } + echo if [ -n "$strategy" ]; then echo "!!!!! working strategy found : nfqws $strategy !!!!!" @@ -395,7 +423,7 @@ check_domain() # in case was interrupted before nfqws_ipt_unprepare $2 tpws_ipt_unprepare $2 - killall nfqws tpws 2>/dev/null + ws_kill echo "- checking without DPI bypass" curl_test $1 $4 && return @@ -427,10 +455,15 @@ check_domain_http() # $1 - domain check_domain curl_test_http 80 0 $1 } -check_domain_https() +check_domain_https_tls12() { # $1 - domain - check_domain curl_test_https 443 1 $1 + check_domain curl_test_https_tls12 443 1 $1 +} +check_domain_https_tls13() +{ + # $1 - domain + check_domain curl_test_https_tls13 443 1 $1 } configure_ip_version() @@ -450,7 +483,6 @@ ask_params() { echo echo NOTE ! this test should be run with zapret or any other bypass software disabled, without VPN - echo NOTE ! this test will kill all nfqws and tpws processes. if you have already set up zapret you will need to restart it after test is complete. $ECHON "test this domain (default: $DOMAIN) : " local dom @@ -469,12 +501,28 @@ ask_params() ENABLE_HTTP=1 ask_yes_no_var ENABLE_HTTP "check http" - ENABLE_HTTPS=1 - ask_yes_no_var ENABLE_HTTPS "check https" + ENABLE_HTTPS_TLS12=1 + ask_yes_no_var ENABLE_HTTPS_TLS12 "check https tls 1.2" + + ENABLE_HTTPS_TLS13=0 + if curl_supports_tls13; then + echo + echo "TLS 1.3 is the new standard for encrypted communications over TCP" + echo "its the most important feature for DPI bypass is encrypted server TLS ClientHello" + echo "more and more sites enable TLS 1.3 but still there're many sites with only TLS 1.2 support" + echo "with TLS 1.3 more DPI bypass strategy can work but they may not apply to all sites" + echo "if a strategy works with TLS 1.2 it will also work with TLS 1.3" + echo "if nothing works with TLS 1.2 this test may find TLS1.3 only strategies" + echo "make sure that $DOMAIN supports TLS 1.3 otherwise all test will return an error" + ask_yes_no_var ENABLE_HTTPS_TLS13 "check https tls 1.3" + else + echo "installed curl version does not support TLS 1.3 . tests disabled." + fi IGNORE_CA=0 CURL_OPT= - [ "$ENABLE_HTTPS" = "1" ] && { + [ $ENABLE_HTTPS_TLS13 = 1 -o $ENABLE_HTTPS_TLS12 = 1 ] && { + echo echo on limited systems like openwrt CA certificates might not be installed to preserve space echo in such a case curl cannot verify server certificate and you should either install ca-bundle or disable verification echo however disabling verification will break https check if ISP does MitM attack and substitutes server certificate @@ -593,19 +641,21 @@ sigint() nfqws_ipt_unprepare 80 nfqws_ipt_unprepare 443 } - killall nfqws tpws 2>/dev/null + ws_kill exitp 1 } -trap 'sigint' 2 - check_system check_prerequisites require_root check_dns ask_params +trap 'sigint' 2 +PID= [ "$ENABLE_HTTP" = 1 ] && check_domain_http $DOMAIN -[ "$ENABLE_HTTPS" = 1 ] && check_domain_https $DOMAIN +[ "$ENABLE_HTTPS_TLS12" = 1 ] && check_domain_https_tls12 $DOMAIN +[ "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_https_tls13 $DOMAIN +trap - 2 exitp 0 diff --git a/docs/readme.txt b/docs/readme.txt index b45d670..5be71ba 100644 --- a/docs/readme.txt +++ b/docs/readme.txt @@ -722,6 +722,10 @@ tpws и nfqws решают нужно ли применять дурение в Например : 8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1, 9.9.9.9 Если DNS подменяется и провайдер перехватывает обращения к сторонним DNS, настройте dnscrypt. +Следует прогнать blockcheck по нескольким заблокированным сайтам и выявить общий характер блокировок. +Разные сайты могут быть заблокированы по-разному, нужно искать такую технику, которая работает на большинстве. +Чтобы записать вывод blockcheck.sh в файл, выполните : ./blockcheck.sh | tee /tmp/blockcheck.txt + Проанализируйте какие методы дурения DPI работают, в соответствии с ними настройте /opt/zapret/config.