TLS Handshake failure when I use the reverse proxy without SNI

Hello, I recently encountered a problem.

Our country blocked many websites, the one of block are based on SNI, when the SNI in the blacklist, it will send the RST ACK to block website connections.

I use Nginx to setup the reverse proxy for the websites which is blocked, it was set up in the local computer, this will hide the SNI, bypass the blockade. The local certificate is self-signed, I trusted them and I just use it for myself. It used to work well for every websites, but recently month, the Nginx returns 502 Bad gateway, the failure websites are using Cloudflare.

I used the Wireshark to check the data, and I found that Cloudflare IP returns the error “Fatal alert handshake failure”, if I set the proxy_ssl_name to the right domain, it can works, but this is just for the websites which is not blocked by gov, if I access the blocked website, but the RST ACK is continuing.

Now I want to know how to resolve this problem, how to bypass the SNI blocks, thank you~

I am afraid your description is not very clear to me.

What exactly is your setup? Where is that reverse proxy set up? It doesnt really matter much if you have a reverse proxy or not, if you open a TLS connection with a standard SNI request, you will always send that in plain text and that will always be open to interception at this point. Certificates are completely irrelevant in this context.

If that is your issue you will need to adopt ESNI. https://serverfault.com/questions/976377/how-can-i-set-up-encrypted-sni-on-my-own-servers might provide you with additional details.

Unfortunately, fascism grows when large populations fear death and politicians feed on that fear. The rise of Hitler, Mussolini, Franco, etc… are prime examples of such Lunacy. Today, the current Pandemic has sowed chaos and fear in most of the world giving malevolent governments - all governments - the opportunity to increase control of people’s lives and dictate what can or cannot be done, in all matters including when attempting to stay “connected” to others through digital communications. Employing an “SNI block” isn’t difficult at the state level and is very difficult to evade when the certificates used for TLS also employ the added “functionality” of Server Name Indication which is transmitted in plain text despite it being integral for most of today’s https:// infrastructure to function.
One solution beyond handing control of the site in question to a near-100% trustworthy (100% is a nonexistent ideal) friend living in a less oppressive country would be attempting to find a Cert provider that issues non-SNI certificates and whose root certs are trusted by the big 5 - Mozilla, Oracle (Java), Apple, Microsoft (Windows) & last, Google (Android).
The solution that would certainly work if you are able to covertly instruct your would be visitors too use Tor (as I’m assuming it to is monitored where you live, though that’s far simpler to evade) is to host your website using a .onion address. It is a simple process to both generate either the v2 or v3 (which is a longer address & more cryptographically secure, though less easy to remember for your visitors as using a v2 address allows for a simpler process for vanity addresses such as Facebook’s and ProtonMail’s .onion addresses, though larger organizations such as Facebook have the computing power (and luck) to end up with a v3 address of facebookcorewwwi.onion (it is served both as an https:// and a http:// site).
I also believe they were the first to have a CA-issued TLS cert. DigiCert offers .onion certs although I’m unsure of the current process. It used to be difficult to impossible to obtain one, hence Facebook being the first. And while more CAs followed in offering TLS certs for .onion sites, it remains a difficult process and allows for government censorship of any site being served from within its borders via reading the plaintext SNI through either DNS (which is really useless for the oppressive regimes in question but it has been used in the past) or simply and easily through filtering TLS certs that transmit SNI in plaintext, which is all of them. And that is unfortunately still a weak spot to this day.
However, a movement to use ESNI (Encrypted Server Name Indication) led by Mozilla (who else?) has been gaining traction. Google, Microsoft & Apple need to get on board to work together to push the change through to Certificate Authorities’ voting members. Then the change will occur.
Continuing on, ProtonMail’s site is https://protonirockerxow.onion/ . ProPublica’s site http://www.propub3r6espa33w.onion/. There is a good explanation of the process they used here:

https://www.propublica.org/nerds/a-more-secure-and-anonymous-propublica-using-tor-hidden-services,

by Mike Tigas who is also a Tor developer. He has the torcc file ProPublica uses for their site here:

https://gist.github.com/mtigas/9a7425dfdacda15790b2#file-1-torrc.

I recommend also reading

https://2019.www.torproject.org/docs/tor-onion-service.html.en

as well as

https://riseup.net/en/security/network-security/tor/onionservices-best-practices.

An excellent study / research paper regarding SNI is here:

https://hal.inria.fr/hal-01202712/document.

Note that

  1. vanity names are nice but for your use they should be avoided.
  2. You can host a site from within a Docker container.
  3. Changing the address regularly, but pseudo-randomly as far as number of days, time of day, etc. is very important for your privacy and thus the evasion of governmental attempts at locating the server. Misconfiguration of the time daemon running on server can be exploited to monitor your .onion site’s traffic patterns, as well as directly monitoring traffic passing through a complicit (or Govt. controlled) Tor Exit Relay.
  4. Using a dedicated machine running TAILS OS (a Linux distro which Torrifies all traffic leaving it) is wise.

Oops. I somehow missed your mention of ESNI. :neutral_face:

This topic was automatically closed after 30 days. New replies are no longer allowed.