blockcheck: separate TLS 1.2/1.3 tests

2024-11-30 05:50:53 +03:00 · 2021-12-10 11:18:25 +03:00 · 2021-12-10 11:18:25 +03:00 · 24e08ceb4c
commit 24e08ceb4c
parent 75c50c3140
2 changed files with 68 additions and 14 deletions
--- a/blockcheck.sh
+++ b/blockcheck.sh
@ -131,6 +131,12 @@ check_prerequisites()
 	done
 }
 curl_supports_tls13()
 {
 	curl --tlsv1.3 -Is -o /dev/null http://$LOCALHOST_IPT:65535 2>/dev/null
 	# return code 2 = init failed. likely bad command line options
 	[ $? != 2 ]
 }
 hdrfile_http_code()
 {
@ -167,13 +173,23 @@ curl_test_http()
 	rm -f "$HDRTEMP"
 	return 0
 }
-curl_test_https()
+curl_test_https_tls12()
 {
 	# $1 - ip version : 4/6
 	# $2 - domain name
 	# prevent using QUIC if available in curl
-	curl -${1}Ss --max-time $CURL_MAX_TIME $CURL_OPT --http1.1 "https://$2" -o /dev/null 2>&1 
+	# do not use tls 1.3 to make sure server certificate is not encrypted
 	curl -${1}Ss --max-time $CURL_MAX_TIME $CURL_OPT --http1.1 --tls-max 1.2 "https://$2" -o /dev/null 2>&1 
 }
 curl_test_https_tls13()
 {
 	# $1 - ip version : 4/6
 	# $2 - domain name
 	# prevent using QUIC if available in curl
 	# force TLS1.3 mode
 	curl -${1}Ss --max-time $CURL_MAX_TIME $CURL_OPT --http1.1 --tlsv1.3 "https://$2" -o /dev/null 2>&1 
 }
 nfqws_ipt_prepare()
@ -208,6 +224,13 @@ tpws_start()
 	# give some time to initialize
 	sleep 1
 }
 ws_kill()
 {
 	[ -z "$PID" ] || {
 		killwait -9 $PID 2>/dev/null
 		PID=
 	}
 }
 curl_test()
 {
@ -239,7 +262,7 @@ ws_curl_test()
 	# let some time for tpws to initialize
 	curl_test $testf $dom
 	code=$?
-	killwait -9 $PID
+	ws_kill
 	return $code
 }
 tpws_curl_test()
@ -340,6 +363,11 @@ nfqws_check_domain_bypass()
 		done
 	done
 	[ "$sec" = 1 ] && {
 		s="--wssize 1:6"
 		nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
 	}
 	echo
 	if [ -n "$strategy" ]; then
 		echo "!!!!! working strategy found : nfqws $strategy !!!!!"
@ -395,7 +423,7 @@ check_domain()
 	# in case was interrupted before
 	nfqws_ipt_unprepare $2
 	tpws_ipt_unprepare $2
-	killall nfqws tpws 2>/dev/null
+	ws_kill
 	echo "- checking without DPI bypass"
 	curl_test $1 $4 && return
@ -427,10 +455,15 @@ check_domain_http()
 	# $1 - domain
 	check_domain curl_test_http 80 0 $1
 }
-check_domain_https()
+check_domain_https_tls12()
 {
 	# $1 - domain
-	check_domain curl_test_https 443 1 $1
+	check_domain curl_test_https_tls12 443 1 $1
 }
 check_domain_https_tls13()
 {
 	# $1 - domain
 	check_domain curl_test_https_tls13 443 1 $1
 }
 configure_ip_version()
@ -450,7 +483,6 @@ ask_params()
 {
 	echo
 	echo NOTE ! this test should be run with zapret or any other bypass software disabled, without VPN
 	echo NOTE ! this test will kill all nfqws and tpws processes. if you have already set up zapret you will need to restart it after test is complete.
 	$ECHON "test this domain (default: $DOMAIN) : "
 	local dom
@ -469,12 +501,28 @@ ask_params()
 	ENABLE_HTTP=1
 	ask_yes_no_var ENABLE_HTTP "check http"
-	ENABLE_HTTPS=1
+	ENABLE_HTTPS_TLS12=1
-	ask_yes_no_var ENABLE_HTTPS "check https"
+	ask_yes_no_var ENABLE_HTTPS_TLS12 "check https tls 1.2"
 	ENABLE_HTTPS_TLS13=0
 	if curl_supports_tls13; then
 		echo
 		echo "TLS 1.3 is the new standard for encrypted communications over TCP"
 		echo "its the most important feature for DPI bypass is encrypted server TLS ClientHello"
 		echo "more and more sites enable TLS 1.3 but still there're many sites with only TLS 1.2 support"
 		echo "with TLS 1.3 more DPI bypass strategy can work but they may not apply to all sites"
 		echo "if a strategy works with TLS 1.2 it will also work with TLS 1.3"
 		echo "if nothing works with TLS 1.2 this test may find TLS1.3 only strategies"
 		echo "make sure that $DOMAIN supports TLS 1.3 otherwise all test will return an error"
 		ask_yes_no_var ENABLE_HTTPS_TLS13 "check https tls 1.3"
 	else
 		echo "installed curl version does not support TLS 1.3 . tests disabled."
 	fi
 	IGNORE_CA=0
 	CURL_OPT=
-	[ "$ENABLE_HTTPS" = "1" ] && {
+	[ $ENABLE_HTTPS_TLS13 = 1 -o $ENABLE_HTTPS_TLS12 = 1 ] && {
 		echo
 		echo on limited systems like openwrt CA certificates might not be installed to preserve space
 		echo in such a case curl cannot verify server certificate and you should either install ca-bundle or disable verification
 		echo however disabling verification will break https check if ISP does MitM attack and substitutes server certificate
@ -593,19 +641,21 @@ sigint()
 		nfqws_ipt_unprepare 80
 		nfqws_ipt_unprepare 443
 	}
-	killall nfqws tpws 2>/dev/null
+	ws_kill
 	exitp 1
 }
 trap 'sigint' 2
 check_system
 check_prerequisites
 require_root
 check_dns
 ask_params
 trap 'sigint' 2
 PID=
 [ "$ENABLE_HTTP" = 1 ] && check_domain_http $DOMAIN
-[ "$ENABLE_HTTPS" = 1 ] && check_domain_https $DOMAIN
+[ "$ENABLE_HTTPS_TLS12" = 1 ] && check_domain_https_tls12 $DOMAIN
 [ "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_https_tls13 $DOMAIN
 trap - 2
 exitp 0
--- a/docs/readme.txt
+++ b/docs/readme.txt
@ -722,6 +722,10 @@ tpws и nfqws решают нужно ли применять дурение в
 Например : 8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1, 9.9.9.9
 Если DNS подменяется и провайдер перехватывает обращения к сторонним DNS, настройте dnscrypt.
 Следует прогнать blockcheck по нескольким заблокированным сайтам и выявить общий характер блокировок.
 Разные сайты могут быть заблокированы по-разному, нужно искать такую технику, которая работает на большинстве.
 Чтобы записать вывод blockcheck.sh в файл, выполните : ./blockcheck.sh | tee /tmp/blockcheck.txt
 Проанализируйте какие методы дурения DPI работают, в соответствии с ними настройте /opt/zapret/config.