Add Chrome-like TLS to configurations selected

when UseIndistinguishableTLS is specified.

psiphon/opensslConn.go

@@ -30,6 +30,10 @@ import (
 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common"
 )
 
+func openSSLSupported() bool {
+	return true
+}
+
 // newOpenSSLConn wraps a connection with TLS which mimicks stock Android TLS.
 // This facility is used as a circumvention measure to ensure Psiphon client
 // TLS ClientHello messages match common TLS ClientHellos vs. the more

psiphon/opensslConn_unsupported.go

@@ -28,6 +28,10 @@ import (
 	"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common"
 )
 
+func openSSLSupported() bool {
+	return false
+}
+
 // newOpenSSLConn simply returns an error when used on an unsupported platform.
 func newOpenSSLConn(rawConn net.Conn, hostname string, config *CustomTLSConfig) (handshakeConn, error) {
 	return nil, common.ContextError(errors.New("newOpenSSLConn not supported on this platform"))

psiphon/server/server_test.go

@@ -386,7 +386,8 @@ func runServer(t *testing.T, runConfig *runServerConfig) {
         "ClientVersion" : "0",
         "SponsorId" : "0",
         "PropagationChannelId" : "0",
-        "DisableRemoteServerListFetcher" : true
+        "DisableRemoteServerListFetcher" : true,
+        "UseIndistinguishableTLS" : true
     }`
 	clientConfig, _ := psiphon.LoadConfig([]byte(clientConfigJSON))
 

psiphon/tlsDialer.go

@@ -177,6 +177,25 @@ func CustomTLSDial(network, addr string, config *CustomTLSConfig) (net.Conn, err
 
 	tlsConfig := &tls.Config{}
 
+	// Select indistinguishable TLS implementation
+	useOpenSSL := false
+	if config.UseIndistinguishableTLS {
+
+		// OpenSSL cannot be used in all cases
+		canUseOpenSSL := openSSLSupported() &&
+			config.ObfuscatedSessionTicketKey == "" &&
+			(config.SkipVerify ||
+				// TODO: config.VerifyLegacyCertificate != nil ||
+				config.TrustedCACertificatesFilename != "")
+
+		if canUseOpenSSL && common.FlipCoin() {
+			useOpenSSL = true
+		} else {
+			tlsConfig.EmulateChrome = true
+			tlsConfig.ClientSessionCache = tls.NewLRUClientSessionCache(0)
+		}
+	}
+
 	if config.SkipVerify {
 		tlsConfig.InsecureSkipVerify = true
 	}
@@ -217,12 +236,7 @@ func CustomTLSDial(network, addr string, config *CustomTLSConfig) (net.Conn, err
 	var conn handshakeConn
 
 	// When supported, use OpenSSL TLS as a more indistinguishable TLS.
-	if config.UseIndistinguishableTLS &&
-		config.ObfuscatedSessionTicketKey == "" &&
-		(config.SkipVerify ||
-			// TODO: config.VerifyLegacyCertificate != nil ||
-			config.TrustedCACertificatesFilename != "") {
-
+	if useOpenSSL {
 		conn, err = newOpenSSLConn(rawConn, hostname, config)
 		if err != nil {
 			rawConn.Close()