ckcr4lyf/README.md

## README.md

      
    Raw
  

              README.md
            
          
    For setup, see: https://ckcr4lyf.github.io/tech-notes/services/nginx/nginx-ech.html
TODO: make a full git repo (TBD if needed?)
Live Demo: https://rfc5746.mywaifu.best:443/

  
## index.html
<html>
<head>
<title>MyWaifu ECH playground</title>
<script>
        function populate(){
                const params = new URL(document.location.toString()).searchParams;
                document.getElementById('status').innerText = params.get("ech_status");
                document.getElementById('outer').innerText = params.get("ech_outer_sni");
                document.getElementById('inner').innerText = params.get("ech_inner_sni");
        }
</script>
<style>
table, th, td {
  border: 1px solid black;
  border-collapse: collapse;
}

table {
    font-size: 18px;
    margin: 0px 14px 14px 0px;
}

td {
    padding: 8px;
}
</style>
</head>

<body onload="populate()">
<h1>ECH Playground</h1>

<h2>ECH Status</h2>
<table>
<tbody>
        <tr>
                <th>Property</th>
                <th>Value</th>
                <th>Explanation</th>
        </tr>
        <tr>
                <td>ECH Status</td>
                <td id="status"></td>
                <td>If ECH worked</td>
        </tr>
        <tr>
                <td>ECH Outer SNI</td>
                <td id="outer"></td>
                <td>what the ISP sees</td>
        </tr>
        <tr>
                <td>ECH Inner SNI</td>
                <td id="inner"></td>
                <td>what the target server sees</td>
        </tr>
</tbody>
</table>
<hr />
I host this website to try and demo ECHConfig's with a public_name NOT equal to the actual domain name I own.<br />

I believe as a server operator, this is a good tactic to "hide" my website behind SNIs of popular / generic websites. It can also expose ISPs or Governments performing SNI based blocking.<br />

However, it should be acknowledged, that anyone who owns the domain name being "faked" in the ECHConfig, could technically MiTM the TLS handshake, <a href="https://mailarchive.ietf.org/arch/msg/tls/cwXPZfpvN-ZzgQoCjAxotNqoomY/">but only to the extent of decrypting the ClientHelloInner</a>,
not actually being able to impersonate the true origin. <br /><br />

Here are some SNIs on different ports you can try - you can use Wireshark to determine which SNI your browser is using.<br /><br />

Note: Firefox incorrectly uses the default HTTPS ECHConfig for all ports. Google Chrome correctly uses Port Prefixed lookups for the HTTPS DNS record, so I would suggest use Google Chrome for testing. Alternatively you could enable the feature in Firefox to use this setting. Read more here: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1860038">Mozilla Bugzilla #1860038</a>

<ul>
        <li><a href="https://rfc5746.mywaifu.best/">Port 443: SNI = example.com</a></li>
        <li><a href="https://rfc5746.mywaifu.best:3443/">Port 3443: SNI = thepiratebay.org</a></li>
        <li><a href="https://rfc5746.mywaifu.best:4443/">Port 4443: SNI = cia.gov</a></li>
        <li><a href="https://rfc5746.mywaifu.best:5443/">Port 5443: SNI = www.torproject.org</a></li>
        <li><a href="https://rfc5746.mywaifu.best:6443/">Port 6443: SNI = pornhub.com</a></li>
</ul>

<h2>How?</h2>

This service is provided using a forked OpenSSL & nginx thanks to <a href="https://github.com/sftcd/">sftcd</a><br /><br />

A very hacky howto of how I did it specifically is <a href="https://ckcr4lyf.github.io/tech-notes/services/nginx/nginx-ech.html">available here.</a>

<h2>Why this domain?</h2>

Well initially I used this domain on this VPS to create a testcase for TLS renegotiation to illustrate a <a href="https://github.com/nodejs/node/issues/48143">potential bug in Node.JS</a>,
since <a href="https://github.com/chromium/badssl.com/issues/507">badSSL can't support some kinda custom TLS response</a>.

Since it was already configured to point to this idle VPS, I thought might as well use it for other ECH stuffs.

</body>
</html>

## nginx.conf
worker_processes  1;
error_log  logs/error.log  info;

events {
    worker_connections  1024;
}


http {
    access_log          logs/access.log combined;
    ssl_echkeydir        echkeydir;

    server {
        listen              443 default_server ssl;
        listen 3443 default_server ssl;
        listen 4443 default_server ssl;
        listen  5443 default_server ssl;
        listen 6443 default_server ssl;
        ssl_certificate     cadir/domain.crt;
        ssl_certificate_key cadir/domain.key;
        ssl_protocols       TLSv1.3;
        server_name         rfc5746.mywaifu.best;

        location /result/ {
                alias www/;
                autoindex on;
                index index.html;
        }

        location / {
            root   www;
            return 307 /result/index.html?ech_status=$ssl_ech_status&ech_inner_sni=$ssl_ech_inner_sni&ech_outer_sni=$ssl_ech_outer_sni;
        }
    }
}
	<html>
	<head>
	<title>MyWaifu ECH playground</title>
	<script>
	function populate(){
	const params = new URL(document.location.toString()).searchParams;
	document.getElementById('status').innerText = params.get("ech_status");
	document.getElementById('outer').innerText = params.get("ech_outer_sni");
	document.getElementById('inner').innerText = params.get("ech_inner_sni");
	}
	</script>
	<style>
	table, th, td {
	border: 1px solid black;
	border-collapse: collapse;
	}

	table {
	font-size: 18px;
	margin: 0px 14px 14px 0px;
	}

	td {
	padding: 8px;
	}
	</style>
	</head>

	<body onload="populate()">
	<h1>ECH Playground</h1>

	<h2>ECH Status</h2>
	<table>
	<tbody>
	<tr>
	<th>Property</th>
	<th>Value</th>
	<th>Explanation</th>
	</tr>
	<tr>
	<td>ECH Status</td>
	<td id="status"></td>
	<td>If ECH worked</td>
	</tr>
	<tr>
	<td>ECH Outer SNI</td>
	<td id="outer"></td>
	<td>what the ISP sees</td>
	</tr>
	<tr>
	<td>ECH Inner SNI</td>
	<td id="inner"></td>
	<td>what the target server sees</td>
	</tr>
	</tbody>
	</table>
	<hr />
	I host this website to try and demo ECHConfig's with a public_name NOT equal to the actual domain name I own.<br />

	I believe as a server operator, this is a good tactic to "hide" my website behind SNIs of popular / generic websites. It can also expose ISPs or Governments performing SNI based blocking.<br />

	However, it should be acknowledged, that anyone who owns the domain name being "faked" in the ECHConfig, could technically MiTM the TLS handshake, <a href="https://mailarchive.ietf.org/arch/msg/tls/cwXPZfpvN-ZzgQoCjAxotNqoomY/">but only to the extent of decrypting the ClientHelloInner</a>,
	not actually being able to impersonate the true origin. <br /><br />

	Here are some SNIs on different ports you can try - you can use Wireshark to determine which SNI your browser is using.<br /><br />

	Note: Firefox incorrectly uses the default HTTPS ECHConfig for all ports. Google Chrome correctly uses Port Prefixed lookups for the HTTPS DNS record, so I would suggest use Google Chrome for testing. Alternatively you could enable the feature in Firefox to use this setting. Read more here: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1860038">Mozilla Bugzilla #1860038</a>

	<ul>
	<li><a href="https://rfc5746.mywaifu.best/">Port 443: SNI = example.com</a></li>
	<li><a href="https://rfc5746.mywaifu.best:3443/">Port 3443: SNI = thepiratebay.org</a></li>
	<li><a href="https://rfc5746.mywaifu.best:4443/">Port 4443: SNI = cia.gov</a></li>
	<li><a href="https://rfc5746.mywaifu.best:5443/">Port 5443: SNI = www.torproject.org</a></li>
	<li><a href="https://rfc5746.mywaifu.best:6443/">Port 6443: SNI = pornhub.com</a></li>
	</ul>

	<h2>How?</h2>

	This service is provided using a forked OpenSSL & nginx thanks to <a href="https://github.com/sftcd/">sftcd</a><br /><br />

	A very hacky howto of how I did it specifically is <a href="https://ckcr4lyf.github.io/tech-notes/services/nginx/nginx-ech.html">available here.</a>

	<h2>Why this domain?</h2>

	Well initially I used this domain on this VPS to create a testcase for TLS renegotiation to illustrate a <a href="https://github.com/nodejs/node/issues/48143">potential bug in Node.JS</a>,
	since <a href="https://github.com/chromium/badssl.com/issues/507">badSSL can't support some kinda custom TLS response</a>.

	Since it was already configured to point to this idle VPS, I thought might as well use it for other ECH stuffs.

	</body>
	</html>
	worker_processes 1;
	error_log logs/error.log info;

	events {
	worker_connections 1024;
	}


	http {
	access_log logs/access.log combined;
	ssl_echkeydir echkeydir;

	server {
	listen 443 default_server ssl;
	listen 3443 default_server ssl;
	listen 4443 default_server ssl;
	listen 5443 default_server ssl;
	listen 6443 default_server ssl;
	ssl_certificate cadir/domain.crt;
	ssl_certificate_key cadir/domain.key;
	ssl_protocols TLSv1.3;
	server_name rfc5746.mywaifu.best;

	location /result/ {
	alias www/;
	autoindex on;
	index index.html;
	}

	location / {
	root www;
	return 307 /result/index.html?ech_status=$ssl_ech_status&ech_inner_sni=$ssl_ech_inner_sni&ech_outer_sni=$ssl_ech_outer_sni;
	}
	}
	}