Implement CertCompressionAlgo extension

[yukinotenshi]

Env: Go 1.14, Windows amd64

Whenever I use the client hello of chrome for version 70, 72, or 83, the program will run into this error

HttpGetByHelloID(HelloChrome_70) failed: uTlsConn.Handshake() error: local error: tls: unexpected message

How to reproduce:

1. Change the example to hello chrome of the versions mentioned above
2. Run it

[yukinotenshi]

the same issue persist in Ubuntu-18.04 amd64 using go version 1.8

[sergeyfrolov]

Could be a server issue. Did you take a look at which unexpected message is it in wireshark?

[yukinotenshi]

@sergeyfrolov

This is what I got in wireshark

[yukinotenshi]

Comparison when using CHROME_62

[sergeyfrolov]

When I visit https://104.27.159.141 in Chrome 83 I get this:

This site can’t provide a secure connection
104.27.159.141 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.

Looks like that server needs to update TLS config and/or implementation.

[yukinotenshi]

When I visit https://104.27.159.141 in Chrome 83 I get this:

This site can’t provide a secure connection
104.27.159.141 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.

Looks like that server needs to update TLS config and/or implementation.

I got the same exact problem when running on google.com or even facebook as in the example as well, so I believe it's not a server side issue. Also for the problem you mentioned, it's due to the IP owned by cloudflare. You need to enter the hostname so it can resolve it and look if the domain is set with their SSL or not.

[rod-hynes]

I can confirm this issue with HelloChrome_83 and cloudflare.com:443. I believe this is due to this extension not being implemented:

utls/u_parrots.go

Lines 280 to 282 in ada0bb9

	&FakeCertCompressionAlgsExtension{[]CertCompressionAlgo{
	CertCompressionBrotli,
	}},

When you comment this extension out, the TLS handshake succeeds. Of course, that's no longer Chrome 83.

Fwiw, a fix exists: #22. We cannot merge that here due to license issues.

Perhaps we can develop our own implementation of certificate compression, or check for another one.

[sergeyfrolov]

Perhaps we can.

Or perhaps @Yawning can agree to dual license his uTLS changes so we can pull them here. I am pretty busy right now, since I have a thesis defense next month, so I would really appreciate help with the library.

[Yawning]

Or perhaps @Yawning can agree to dual license his uTLS changes so we can pull them here.

I'll need to think about this.

[yukinotenshi]

I've resolved some of the issues that I received. It turns out that for some websites (example: www.something.com) I need to put something.com as the ServerName in tls.Config and dial the www.something.com. Putting the www. subdomain in tls.Config will result in handshake error

[VeNoMouS]

Confirmed, @Yawning works, UTLS fails with anything using TLS 1.3 with unexpected message on the handshake

[i542873057]

Confirmed, @Yawning works, UTLS fails with anything using TLS 1.3 with unexpected message on the handshake

I have meet the same problem like you. Do you have any solution?

Any help to me will be appreciated!