Merge pull request #107 from rod-hynes/master

Add indistinguishable TLS; minor cleanups

README.md

@@ -19,9 +19,22 @@ Setup
 --------------------------------------------------------------------------------
 
 * Go 1.4 (or higher) is required.
-* In this repository, run `go build` to make the `psiphon-tunnel-core` binary.
-* Note that the `psiphon` package is imported using the absolute path `github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon`; without further local configuration, `go` will use this version of the code and not the local copy in the repository.
 * This project builds and runs on recent versions of Windows, Linux, and Mac OS X.
+* Note that the `psiphon` package is imported using the absolute path `github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon`; without further local configuration, `go` will use this version of the code and not the local copy in the repository.
+* In this repository, run `go build` to make the `psiphon-tunnel-core` binary.
+  * Build versioning info may be configured as follows, and passed to `go build` in the `-ldflags` argument:
+
+    ```
+    BUILDDATE=$(date --iso-8601=seconds)
+    BUILDREPO=$(git config --get remote.origin.url)
+    BUILDREV=$(git rev-parse HEAD)
+    LDFLAGS="\
+    -X github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon.buildDate $BUILDDATE \
+    -X github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon.buildRepo $BUILDREPO \
+    -X github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon.buildRev $BUILDREV \
+    "
+    ```
+
 * Run `./psiphon-tunnel-core --config psiphon.config` where the config file looks like this:
 
 <!--BEGIN-SAMPLE-CONFIG-->

SampleApps/Psibot/app/src/main/java/ca/psiphon/PsiphonTunnel.java

@@ -319,6 +319,12 @@ public class PsiphonTunnel extends Psi.PsiphonProvider.Stub {
 
         json.put("EmitBytesTransferred", true);
 
+        json.put("UseIndistinguishableTLS", true);
+
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.ICE_CREAM_SANDWICH) {
+            json.put("SystemCACertificateDirectory", "/system/etc/security/cacerts");
+        }
+
         if (mLocalSocksProxyPort != 0) {
             // When mLocalSocksProxyPort is set, tun2socks is already configured
             // to use that port value. So we force use of the same port.

openssl/README.md

@@ -0,0 +1,32 @@
+Psiphon OpenSSL README
+================================================================================
+
+Overview
+--------------------------------------------------------------------------------
+
+Psiphon Tunnel Core may be configured to use OpenSSL, in place of Go's TLS, when
+it is advantageous to emulate more common TLS implementations. This facility is
+used as a circumvention measure to ensure Psiphon client TLS ClientHello messages
+mimic common TLS ClientHellos from, e.g., stock Android app SSLSocket connections
+vs. the more distinguishable (blockable) Go TLS ClientHello.
+
+This directory contains source and scripts to build OpenSSL libraries that can be
+statically linked with Psiphon Tunnel Core.
+
+Mimicking stock TLS implementations is done both at compile time (no-heartbeats)
+and at [runtime](psiphon/opensslConn.go) (specific cipher suites and options).
+
+Android
+--------------------------------------------------------------------------------
+
+Ensure `ANDROID_NDK_ROOT` is set. Run the `build-android.sh` script to build
+static libraries for Android.
+
+When running `gomobile bind` to build the Android library, set `CGO` environment
+variables as follows (alternatively, set up `pkg-config`, which is used by the
+[openssl package](https://github.com/Psiphon-Inc/openssl/blob/master/build.go)).
+
+```
+export CGO_CFLAGS="-I<path>/include"
+export CGO_LDFLAGS="-L<path> -lssl -lcrypto"
+```

openssl/build-android.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Based on: https://wiki.openssl.org/index.php/Android
+
+rm -rf ./openssl-1.0.1p
+tar xvf openssl-1.0.1p.tar.gz
+source ./setenv-android.sh
+cd openssl-1.0.1p
+perl -pi -e 's/install: all install_docs install_sw/install: install_docs install_sw/g' Makefile.org
+# TODO: strip out more unnecessary components
+./config no-shared no-ssl2 no-ssl3 no-comp no-hw no-md2 no-md4 no-rc2 no-rc5 no-krb5 no-ripemd160 no-idea no-gost no-camellia no-seed no-3des no-heartbeats --openssldir=../ssl
+perl -pi -e 's/-O3/-Os -mfloat-abi=softfp/g' Makefile
+make depend
+make all
+cd ..

openssl/setenv-android.sh

@@ -0,0 +1,233 @@
+#!/bin/bash
+# Cross-compile environment for Android on ARMv7 and x86
+#
+# Contents licensed under the terms of the OpenSSL license
+# http://www.openssl.org/source/license.html
+#
+# See http://wiki.openssl.org/index.php/FIPS_Library_and_Android
+#   and http://wiki.openssl.org/index.php/Android
+
+#####################################################################
+
+# Set ANDROID_NDK_ROOT to you NDK location. For example,
+# /opt/android-ndk-r8e or /opt/android-ndk-r9. This can be done in a
+# login script. If ANDROID_NDK_ROOT is not specified, the script will
+# try to pick it up with the value of _ANDROID_NDK_ROOT below. If
+# ANDROID_NDK_ROOT is set, then the value is ignored.
+# _ANDROID_NDK="android-ndk-r8e"
+_ANDROID_NDK="android-ndk-r10e"
+# _ANDROID_NDK="android-ndk-r10"
+
+# Set _ANDROID_EABI to the EABI you want to use. You can find the
+# list in $ANDROID_NDK_ROOT/toolchains. This value is always used.
+# _ANDROID_EABI="x86-4.6"
+# _ANDROID_EABI="arm-linux-androideabi-4.6"
+_ANDROID_EABI="arm-linux-androideabi-4.8"
+
+# Set _ANDROID_ARCH to the architecture you are building for.
+# This value is always used.
+# _ANDROID_ARCH=arch-x86
+_ANDROID_ARCH=arch-arm
+
+# Set _ANDROID_API to the API you want to use. You should set it
+# to one of: android-14, android-9, android-8, android-14, android-5
+# android-4, or android-3. You can't set it to the latest (for
+# example, API-17) because the NDK does not supply the platform. At
+# Android 5.0, there will likely be another platform added (android-22?).
+# This value is always used.
+# _ANDROID_API="android-14"
+_ANDROID_API="android-14"
+# _ANDROID_API="android-19"
+
+#####################################################################
+
+# If the user did not specify the NDK location, try and pick it up.
+# We expect something like ANDROID_NDK_ROOT=/opt/android-ndk-r8e
+# or ANDROID_NDK_ROOT=/usr/local/android-ndk-r8e.
+
+if [ -z "$ANDROID_NDK_ROOT" ]; then
+
+  _ANDROID_NDK_ROOT=""
+  if [ -z "$_ANDROID_NDK_ROOT" ] && [ -d "/usr/local/$_ANDROID_NDK" ]; then
+    _ANDROID_NDK_ROOT="/usr/local/$_ANDROID_NDK"
+  fi
+
+  if [ -z "$_ANDROID_NDK_ROOT" ] && [ -d "/opt/$_ANDROID_NDK" ]; then
+    _ANDROID_NDK_ROOT="/opt/$_ANDROID_NDK"
+  fi
+
+  if [ -z "$_ANDROID_NDK_ROOT" ] && [ -d "$HOME/$_ANDROID_NDK" ]; then
+    _ANDROID_NDK_ROOT="$HOME/$_ANDROID_NDK"
+  fi
+
+  if [ -z "$_ANDROID_NDK_ROOT" ] && [ -d "$PWD/$_ANDROID_NDK" ]; then
+    _ANDROID_NDK_ROOT="$PWD/$_ANDROID_NDK"
+  fi
+
+  # If a path was set, then export it
+  if [ ! -z "$_ANDROID_NDK_ROOT" ] && [ -d "$_ANDROID_NDK_ROOT" ]; then
+    export ANDROID_NDK_ROOT="$_ANDROID_NDK_ROOT"
+  fi
+fi
+
+# Error checking
+# ANDROID_NDK_ROOT should always be set by the user (even when not running this script)
+# http://groups.google.com/group/android-ndk/browse_thread/thread/a998e139aca71d77
+if [ -z "$ANDROID_NDK_ROOT" ] || [ ! -d "$ANDROID_NDK_ROOT" ]; then
+  echo "Error: ANDROID_NDK_ROOT is not a valid path. Please edit this script."
+  # echo "$ANDROID_NDK_ROOT"
+  # exit 1
+fi
+
+# Error checking
+if [ ! -d "$ANDROID_NDK_ROOT/toolchains" ]; then
+  echo "Error: ANDROID_NDK_ROOT/toolchains is not a valid path. Please edit this script."
+  # echo "$ANDROID_NDK_ROOT/toolchains"
+  # exit 1
+fi
+
+# Error checking
+if [ ! -d "$ANDROID_NDK_ROOT/toolchains/$_ANDROID_EABI" ]; then
+  echo "Error: ANDROID_EABI is not a valid path. Please edit this script."
+  # echo "$ANDROID_NDK_ROOT/toolchains/$_ANDROID_EABI"
+  # exit 1
+fi
+
+#####################################################################
+
+# Based on ANDROID_NDK_ROOT, try and pick up the required toolchain. We expect something like:
+# /opt/android-ndk-r83/toolchains/arm-linux-androideabi-4.7/prebuilt/linux-x86_64/bin
+# Once we locate the toolchain, we add it to the PATH. Note: this is the 'hard way' of
+# doing things according to the NDK documentation for Ice Cream Sandwich.
+# https://android.googlesource.com/platform/ndk/+/ics-mr0/docs/STANDALONE-TOOLCHAIN.html
+
+ANDROID_TOOLCHAIN=""
+for host in "linux-x86_64" "linux-x86" "darwin-x86_64" "darwin-x86"
+do
+  if [ -d "$ANDROID_NDK_ROOT/toolchains/$_ANDROID_EABI/prebuilt/$host/bin" ]; then
+    ANDROID_TOOLCHAIN="$ANDROID_NDK_ROOT/toolchains/$_ANDROID_EABI/prebuilt/$host/bin"
+    break
+  fi
+done
+
+# Error checking
+if [ -z "$ANDROID_TOOLCHAIN" ] || [ ! -d "$ANDROID_TOOLCHAIN" ]; then
+  echo "Error: ANDROID_TOOLCHAIN is not valid. Please edit this script."
+  # echo "$ANDROID_TOOLCHAIN"
+  # exit 1
+fi
+
+case $_ANDROID_ARCH in
+	arch-arm)	  
+      ANDROID_TOOLS="arm-linux-androideabi-gcc arm-linux-androideabi-ranlib arm-linux-androideabi-ld"
+	  ;;
+	arch-x86)	  
+      ANDROID_TOOLS="i686-linux-android-gcc i686-linux-android-ranlib i686-linux-android-ld"
+	  ;;	  
+	*)
+	  echo "ERROR ERROR ERROR"
+	  ;;
+esac
+
+for tool in $ANDROID_TOOLS
+do
+  # Error checking
+  if [ ! -e "$ANDROID_TOOLCHAIN/$tool" ]; then
+    echo "Error: Failed to find $tool. Please edit this script."
+    # echo "$ANDROID_TOOLCHAIN/$tool"
+    # exit 1
+  fi
+done
+
+# Only modify/export PATH if ANDROID_TOOLCHAIN good
+if [ ! -z "$ANDROID_TOOLCHAIN" ]; then
+  export ANDROID_TOOLCHAIN="$ANDROID_TOOLCHAIN"
+  export PATH="$ANDROID_TOOLCHAIN":"$PATH"
+fi
+
+#####################################################################
+
+# For the Android SYSROOT. Can be used on the command line with --sysroot
+# https://android.googlesource.com/platform/ndk/+/ics-mr0/docs/STANDALONE-TOOLCHAIN.html
+export ANDROID_SYSROOT="$ANDROID_NDK_ROOT/platforms/$_ANDROID_API/$_ANDROID_ARCH"
+export SYSROOT="$ANDROID_SYSROOT"
+export NDK_SYSROOT="$ANDROID_SYSROOT"
+
+# Error checking
+if [ -z "$ANDROID_SYSROOT" ] || [ ! -d "$ANDROID_SYSROOT" ]; then
+  echo "Error: ANDROID_SYSROOT is not valid. Please edit this script."
+  # echo "$ANDROID_SYSROOT"
+  # exit 1
+fi
+
+#####################################################################
+
+# If the user did not specify the FIPS_SIG location, try and pick it up
+# If the user specified a bad location, then try and pick it up too.
+if [ -z "$FIPS_SIG" ] || [ ! -e "$FIPS_SIG" ]; then
+
+  # Try and locate it
+  _FIPS_SIG=""
+  if [ -d "/usr/local/ssl/$_ANDROID_API" ]; then
+    _FIPS_SIG=`find "/usr/local/ssl/$_ANDROID_API" -name incore`
+  fi
+
+  if [ ! -e "$_FIPS_SIG" ]; then
+    _FIPS_SIG=`find $PWD -name incore`
+  fi
+
+  # If a path was set, then export it
+  if [ ! -z "$_FIPS_SIG" ] && [ -e "$_FIPS_SIG" ]; then
+    export FIPS_SIG="$_FIPS_SIG"
+  fi
+fi
+
+# Error checking. Its OK to ignore this if you are *not* building for FIPS
+if [ -z "$FIPS_SIG" ] || [ ! -e "$FIPS_SIG" ]; then
+  echo "Error: FIPS_SIG does not specify incore module. Please edit this script."
+  # echo "$FIPS_SIG"
+  # exit 1
+fi
+
+#####################################################################
+
+# Most of these should be OK (MACHINE, SYSTEM, ARCH). RELEASE is ignored.
+export MACHINE=armv7
+export RELEASE=2.6.37
+export SYSTEM=android
+export ARCH=arm
+export CROSS_COMPILE="arm-linux-androideabi-"
+
+if [ "$_ANDROID_ARCH" == "arch-x86" ]; then
+	export MACHINE=i686
+	export RELEASE=2.6.37
+	export SYSTEM=android
+	export ARCH=x86
+	export CROSS_COMPILE="i686-linux-android-"
+fi
+
+# For the Android toolchain
+# https://android.googlesource.com/platform/ndk/+/ics-mr0/docs/STANDALONE-TOOLCHAIN.html
+export ANDROID_SYSROOT="$ANDROID_NDK_ROOT/platforms/$_ANDROID_API/$_ANDROID_ARCH"
+export SYSROOT="$ANDROID_SYSROOT"
+export NDK_SYSROOT="$ANDROID_SYSROOT"
+export ANDROID_NDK_SYSROOT="$ANDROID_SYSROOT"
+export ANDROID_API="$_ANDROID_API"
+
+# CROSS_COMPILE and ANDROID_DEV are DFW (Don't Fiddle With). Its used by OpenSSL build system.
+# export CROSS_COMPILE="arm-linux-androideabi-"
+export ANDROID_DEV="$ANDROID_NDK_ROOT/platforms/$_ANDROID_API/$_ANDROID_ARCH/usr"
+export HOSTCC=gcc
+
+VERBOSE=1
+if [ ! -z "$VERBOSE" ] && [ "$VERBOSE" != "0" ]; then
+  echo "ANDROID_NDK_ROOT: $ANDROID_NDK_ROOT"
+  echo "ANDROID_ARCH: $_ANDROID_ARCH"
+  echo "ANDROID_EABI: $_ANDROID_EABI"
+  echo "ANDROID_API: $ANDROID_API"
+  echo "ANDROID_SYSROOT: $ANDROID_SYSROOT"
+  echo "ANDROID_TOOLCHAIN: $ANDROID_TOOLCHAIN"
+  echo "FIPS_SIG: $FIPS_SIG"
+  echo "CROSS_COMPILE: $CROSS_COMPILE"
+  echo "ANDROID_DEV: $ANDROID_DEV"
+fi

psiphon/LookupIP_nobind.go

@@ -27,7 +27,7 @@ import (
 )
 
 // LookupIP resolves a hostname. When BindToDevice is not required, it
-// simply uses net.LookuIP.
+// simply uses net.LookupIP.
 func LookupIP(host string, config *DialConfig) (addrs []net.IP, err error) {
 	if config.DeviceBinder != nil {
 		return nil, ContextError(errors.New("LookupIP with DeviceBinder not supported on this platform"))

psiphon/config.go

@@ -29,7 +29,6 @@ import (
 // TODO: allow all params to be configured
 
 const (
-	VERSION                                      = "0.0.9"
 	DATA_STORE_FILENAME                          = "psiphon.db"
 	CONNECTION_WORKER_POOL_SIZE                  = 10
 	TUNNEL_POOL_SIZE                             = 1
@@ -99,6 +98,8 @@ type Config struct {
 	UpgradeDownloadUrl                  string
 	UpgradeDownloadFilename             string
 	EmitBytesTransferred                bool
+	UseIndistinguishableTLS             bool
+	SystemCACertificateDirectory        string
 }
 
 // LoadConfig parses and validates a JSON format Psiphon config JSON

psiphon/controller.go

@@ -74,10 +74,12 @@ func NewController(config *Config) (controller *Controller, err error) {
 	// used to exclude these requests and connection from VPN routing.
 	untunneledPendingConns := new(Conns)
 	untunneledDialConfig := &DialConfig{
-		UpstreamProxyUrl: config.UpstreamProxyUrl,
-		PendingConns:     untunneledPendingConns,
-		DeviceBinder:     config.DeviceBinder,
-		DnsServerGetter:  config.DnsServerGetter,
+		UpstreamProxyUrl:             config.UpstreamProxyUrl,
+		PendingConns:                 untunneledPendingConns,
+		DeviceBinder:                 config.DeviceBinder,
+		DnsServerGetter:              config.DnsServerGetter,
+		UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
+		SystemCACertificateDirectory: config.SystemCACertificateDirectory,
 	}
 
 	controller = &Controller{
@@ -123,7 +125,6 @@ func NewController(config *Config) (controller *Controller, err error) {
 // - a local HTTP proxy that port forwards through the pool of tunnels
 func (controller *Controller) Run(shutdownBroadcast <-chan struct{}) {
 	NoticeBuildInfo()
-	NoticeCoreVersion(VERSION)
 	ReportAvailableRegions()
 
 	// Start components

psiphon/dataStore_alt.go

@@ -31,7 +31,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/boltdb/bolt"
+	"github.com/Psiphon-Inc/bolt"
 )
 
 // The BoltDB dataStore implementation is an alternative to the sqlite3-based

psiphon/meekConn.go

@@ -162,11 +162,13 @@ func DialMeek(
 
 		dialer = NewCustomTLSDialer(
 			&CustomTLSConfig{
-				Dial:           NewTCPDialer(meekConfig),
-				Timeout:        meekConfig.ConnectTimeout,
-				FrontingAddr:   fmt.Sprintf("%s:%d", frontingAddress, 443),
-				SendServerName: false,
-				SkipVerify:     true,
+				Dial:                         NewTCPDialer(meekConfig),
+				Timeout:                      meekConfig.ConnectTimeout,
+				FrontingAddr:                 fmt.Sprintf("%s:%d", frontingAddress, 443),
+				SendServerName:               false,
+				SkipVerify:                   true,
+				UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
+				SystemCACertificateDirectory: config.SystemCACertificateDirectory,
 			})
 	} else {
 		// In the unfronted case, host is both what is dialed and what ends up in the HTTP Host header

psiphon/net.go

@@ -64,6 +64,18 @@ type DialConfig struct {
 	// current active untunneled network DNS server.
 	DeviceBinder    DeviceBinder
 	DnsServerGetter DnsServerGetter
+
+	// UseIndistinguishableTLS specifies whether to try to use an
+	// alternative stack for TLS. From a circumvention perspective,
+	// Go's TLS has a distinct fingerprint that may be used for blocking.
+	// Only applies to TLS connections.
+	UseIndistinguishableTLS bool
+
+	// SystemCACertificateDirectory specifies a directory containing
+	// CA certs. Directory contents should be compatible with OpenSSL's
+	// SSL_CTX_load_verify_locations
+	// Only applies to UseIndistinguishableTLS connections.
+	SystemCACertificateDirectory string
 }
 
 // DeviceBinder defines the interface to the external BindToDevice provider

psiphon/notice.go

@@ -99,11 +99,6 @@ func NoticeError(format string, args ...interface{}) {
 	outputNotice("Error", true, "message", fmt.Sprintf(format, args...))
 }
 
-// NoticeCoreVersion is the version string of the core
-func NoticeCoreVersion(version string) {
-	outputNotice("CoreVersion", false, "version", version)
-}
-
 // NoticeCandidateServers is how many possible servers are available for the selected region and protocol
 func NoticeCandidateServers(region, protocol string, count int) {
 	outputNotice("CandidateServers", false, "region", region, "protocol", protocol, "count", count)

psiphon/opensslConn.go

@@ -0,0 +1,107 @@
+// +build android
+
+/*
+ * Copyright (c) 2015, Psiphon Inc.
+ * All rights reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package psiphon
+
+import (
+	"errors"
+	"net"
+	"strings"
+
+	"github.com/Psiphon-Inc/openssl"
+)
+
+// newOpenSSLConn wraps a connection with TLS which mimicks stock Android TLS.
+// This facility is used as a circumvention measure to ensure Psiphon client
+// TLS ClientHello messages match common TLS ClientHellos vs. the more
+// distinguishable (blockable) Go TLS ClientHello.
+func newOpenSSLConn(rawConn net.Conn, hostname string, config *CustomTLSConfig) (handshakeConn, error) {
+
+	ctx, err := openssl.NewCtx()
+	if err != nil {
+		return nil, ContextError(err)
+	}
+
+	if !config.SkipVerify {
+		ctx.SetVerifyMode(openssl.VerifyPeer)
+		if config.VerifyLegacyCertificate != nil {
+			// TODO: verify with VerifyLegacyCertificate
+			return nil, errors.New("newOpenSSLConn does not support VerifyLegacyCertificate")
+		} else {
+			if config.SystemCACertificateDirectory == "" {
+				return nil, errors.New("newOpenSSLConn cannot verify without SystemCACertificateDirectory")
+			}
+			err = ctx.LoadVerifyLocations("", config.SystemCACertificateDirectory)
+			if err != nil {
+				return nil, ContextError(err)
+			}
+		}
+	} else {
+		ctx.SetVerifyMode(openssl.VerifyNone)
+	}
+
+	// Use the same cipher suites, in the same priority order, as stock Android TLS.
+	// Based on: https://android.googlesource.com/platform/external/conscrypt/+/master/src/main/java/org/conscrypt/NativeCrypto.java
+	// This list includes include recently retired DSS suites: https://android.googlesource.com/platform/external/conscrypt/+/e53baea9221be7f9828d0f338ede284e22f55722%5E!/#F0,
+	// as those are still commonly deployed.
+	ciphersuites := []string{
+		"ECDHE-ECDSA-AES128-GCM-SHA256",
+		"ECDHE-ECDSA-AES256-GCM-SHA384",
+		"ECDHE-RSA-AES128-GCM-SHA256",
+		"ECDHE-RSA-AES256-GCM-SHA384",
+		"DHE-RSA-AES128-GCM-SHA256",
+		"DHE-RSA-AES256-GCM-SHA384",
+		"ECDHE-ECDSA-AES128-SHA",
+		"ECDHE-ECDSA-AES256-SHA",
+		"ECDHE-RSA-AES128-SHA",
+		"ECDHE-RSA-AES256-SHA",
+		"DHE-RSA-AES128-SHA",
+		"DHE-RSA-AES256-SHA",
+		"DHE-DSS-AES128-SHA",
+		"DHE-DSS-AES256-SHA",
+		"ECDHE-ECDSA-RC4-SHA",
+		"ECDHE-RSA-RC4-SHA",
+		"AES128-GCM-SHA256",
+		"AES256-GCM-SHA384",
+		"AES128-SHA",
+		"AES256-SHA",
+		"RC4-SHA",
+	}
+	ctx.SetCipherList(strings.Join(ciphersuites, ":"))
+
+	// Mimic extensions used by stock Android.
+	// NOTE: Heartbeat extension is disabled at compile time.
+	ctx.SetOptions(openssl.NoSessionResumptionOrRenegotiation | openssl.NoTicket)
+
+	conn, err := openssl.Client(rawConn, ctx)
+	if err != nil {
+		return nil, ContextError(err)
+	}
+
+	if config.SendServerName {
+		err = conn.SetTlsExtHostName(hostname)
+		if err != nil {
+			return nil, ContextError(err)
+		}
+	}
+
+	return conn, nil
+}

psiphon/opensslConn_unsupported.go

@@ -0,0 +1,32 @@
+// +build !android
+
+/*
+ * Copyright (c) 2015, Psiphon Inc.
+ * All rights reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package psiphon
+
+import (
+	"errors"
+	"net"
+)
+
+// newOpenSSLConn simply returns an error when used on an unsupported platform.
+func newOpenSSLConn(rawConn net.Conn, hostname string, config *CustomTLSConfig) (handshakeConn, error) {
+	return nil, ContextError(errors.New("newOpenSSLConn not supported on this platform"))
+}

psiphon/remoteServerList.go

@@ -22,7 +22,9 @@ package psiphon
 import (
 	"errors"
 	"io/ioutil"
+	"net"
 	"net/http"
+	"net/url"
 )
 
 // FetchRemoteServerList downloads a remote server list JSON record from
@@ -39,15 +41,46 @@ func FetchRemoteServerList(config *Config, dialConfig *DialConfig) (err error) {
 		return ContextError(errors.New("remote server list signature public key blank"))
 	}
 
+	dialer := NewTCPDialer(dialConfig)
+
+	// When the URL is HTTPS, use the custom TLS dialer with the
+	// UseIndistinguishableTLS option.
+	// TODO: refactor into helper function
+	requestUrl, err := url.Parse(config.RemoteServerListUrl)
+	if err != nil {
+		return ContextError(err)
+	}
+	if requestUrl.Scheme == "https" {
+		dialer = NewCustomTLSDialer(
+			&CustomTLSConfig{
+				Dial:                         dialer,
+				SendServerName:               true,
+				SkipVerify:                   false,
+				UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
+				SystemCACertificateDirectory: config.SystemCACertificateDirectory,
+			})
+
+		// Change the scheme to "http"; otherwise http.Transport will try to do
+		// another TLS handshake inside the explicit TLS session. Also need to
+		// force the port to 443,as the default for "http", 80, won't talk TLS.
+		requestUrl.Scheme = "http"
+		host, _, err := net.SplitHostPort(requestUrl.Host)
+		if err != nil {
+			// Assume there's no port
+			host = requestUrl.Host
+		}
+		requestUrl.Host = net.JoinHostPort(host, "443")
+	}
+
 	transport := &http.Transport{
-		Dial: NewTCPDialer(dialConfig),
+		Dial: dialer,
 	}
 	httpClient := http.Client{
 		Timeout:   FETCH_REMOTE_SERVER_LIST_TIMEOUT,
 		Transport: transport,
 	}
 
-	request, err := http.NewRequest("GET", config.RemoteServerListUrl, nil)
+	request, err := http.NewRequest("GET", requestUrl.String(), nil)
 	if err != nil {
 		return ContextError(err)
 	}

psiphon/serverApi.go

@@ -367,7 +367,6 @@ func makePsiphonHttpsClient(tunnel *Tunnel) (httpsClient *http.Client, err error
 		&CustomTLSConfig{
 			Dial:                    tunneledDialer,
 			Timeout:                 PSIPHON_API_SERVER_TIMEOUT,
-			SendServerName:          false,
 			VerifyLegacyCertificate: certificate,
 		})
 	transport := &http.Transport{

psiphon/tlsDialer.go

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, Psiphon Inc.
+ * Copyright (c) 2015, Psiphon Inc.
  * All rights reserved.
  *
  * This program is free software: you can redistribute it and/or modify
@@ -104,12 +104,19 @@ type CustomTLSConfig struct {
 	// VerifyLegacyCertificate is a special case self-signed server
 	// certificate case. Ignores IP SANs and basic constraints. No
 	// certificate chain. Just checks that the server presented the
-	// specified certificate.
+	// specified certificate. SNI is disbled when this is set.
 	VerifyLegacyCertificate *x509.Certificate
 
-	// TlsConfig is a tls.Config to use in the
-	// non-verifyLegacyCertificate case.
-	TlsConfig *tls.Config
+	// UseIndistinguishableTLS specifies whether to try to use an
+	// alternative stack for TLS. From a circumvention perspective,
+	// Go's TLS has a distinct fingerprint that may be used for blocking.
+	UseIndistinguishableTLS bool
+
+	// SystemCACertificateDirectory specifies a directory containing
+	// CA certs. Directory contents should be compatible with OpenSSL's
+	// SSL_CTX_load_verify_locations
+	// Only applies to UseIndistinguishableTLS connections.
+	SystemCACertificateDirectory string
 }
 
 func NewCustomTLSDialer(config *CustomTLSConfig) Dialer {
@@ -118,13 +125,19 @@ func NewCustomTLSDialer(config *CustomTLSConfig) Dialer {
 	}
 }
 
+// handshakeConn is a net.Conn that can perform a TLS handshake
+type handshakeConn interface {
+	net.Conn
+	Handshake() error
+}
+
 // CustomTLSDialWithDialer is a customized replacement for tls.Dial.
 // Based on tlsdialer.DialWithDialer which is based on crypto/tls.DialWithDialer.
 //
 // tlsdialer comment:
 //   Note - if sendServerName is false, the VerifiedChains field on the
 //   connection's ConnectionState will never get populated.
-func CustomTLSDial(network, addr string, config *CustomTLSConfig) (*tls.Conn, error) {
+func CustomTLSDial(network, addr string, config *CustomTLSConfig) (net.Conn, error) {
 
 	// We want the Timeout and Deadline values from dialer to cover the
 	// whole process: TCP connection and TLS handshake. This means that we
@@ -149,36 +162,43 @@ func CustomTLSDial(network, addr string, config *CustomTLSConfig) (*tls.Conn, er
 
 	hostname, _, err := net.SplitHostPort(dialAddr)
 	if err != nil {
+		rawConn.Close()
 		return nil, ContextError(err)
 	}
 
-	tlsConfig := config.TlsConfig
-	if tlsConfig == nil {
-		tlsConfig = &tls.Config{}
-	}
-
-	// Copy config so we can tweak it
-	tlsConfigCopy := new(tls.Config)
-	*tlsConfigCopy = *tlsConfig
+	tlsConfig := &tls.Config{}
 
-	serverName := tlsConfig.ServerName
-	// If no ServerName is set, infer the ServerName
-	// from the hostname we're connecting to.
-	if serverName == "" {
-		serverName = hostname
+	if config.SkipVerify {
+		tlsConfig.InsecureSkipVerify = true
 	}
 
-	if config.SendServerName {
+	if config.SendServerName && config.VerifyLegacyCertificate == nil {
 		// Set the ServerName and rely on the usual logic in
 		// tls.Conn.Handshake() to do its verification
-		tlsConfigCopy.ServerName = serverName
+		tlsConfig.ServerName = hostname
 	} else {
+		// No SNI.
 		// Disable verification in tls.Conn.Handshake().  We'll verify manually
 		// after handshaking
-		tlsConfigCopy.InsecureSkipVerify = true
+		tlsConfig.InsecureSkipVerify = true
 	}
 
-	conn := tls.Client(rawConn, tlsConfigCopy)
+	var conn handshakeConn
+
+	// When supported, use OpenSSL TLS as a more indistinguishable TLS.
+	if config.UseIndistinguishableTLS &&
+		(config.SkipVerify ||
+			// TODO: config.VerifyLegacyCertificate != nil ||
+			config.SystemCACertificateDirectory != "") {
+
+		conn, err = newOpenSSLConn(rawConn, hostname, config)
+		if err != nil {
+			rawConn.Close()
+			return nil, ContextError(err)
+		}
+	} else {
+		conn = tls.Client(rawConn, tlsConfig)
+	}
 
 	if config.Timeout == 0 {
 		err = conn.Handshake()
@@ -189,12 +209,20 @@ func CustomTLSDial(network, addr string, config *CustomTLSConfig) (*tls.Conn, er
 		err = <-errChannel
 	}
 
-	if !config.SkipVerify {
-		if err == nil && config.VerifyLegacyCertificate != nil {
-			err = verifyLegacyCertificate(conn, config.VerifyLegacyCertificate)
-		} else if err == nil && !config.SendServerName && !tlsConfig.InsecureSkipVerify {
+	// openSSLConns complete verification automatically. For Go TLS,
+	// we need to complete the process from crypto/tls.Dial.
+
+	// NOTE: for (config.SendServerName && !config.tlsConfig.InsecureSkipVerify),
+	// the tls.Conn.Handshake() does the complete verification, including host name.
+	tlsConn, isTlsConn := conn.(*tls.Conn)
+	if err == nil && isTlsConn &&
+		!config.SkipVerify && tlsConfig.InsecureSkipVerify {
+
+		if config.VerifyLegacyCertificate != nil {
+			err = verifyLegacyCertificate(tlsConn, config.VerifyLegacyCertificate)
+		} else {
 			// Manually verify certificates
-			err = verifyServerCerts(conn, serverName, tlsConfigCopy)
+			err = verifyServerCerts(tlsConn, hostname, tlsConfig)
 		}
 	}
 
@@ -217,13 +245,13 @@ func verifyLegacyCertificate(conn *tls.Conn, expectedCertificate *x509.Certifica
 	return nil
 }
 
-func verifyServerCerts(conn *tls.Conn, serverName string, config *tls.Config) error {
+func verifyServerCerts(conn *tls.Conn, hostname string, config *tls.Config) error {
 	certs := conn.ConnectionState().PeerCertificates
 
 	opts := x509.VerifyOptions{
 		Roots:         config.RootCAs,
 		CurrentTime:   time.Now(),
-		DNSName:       serverName,
+		DNSName:       hostname,
 		Intermediates: x509.NewCertPool(),
 	}
 

psiphon/tunnel.go

@@ -370,11 +370,13 @@ func dialSsh(
 
 	// Create the base transport: meek or direct connection
 	dialConfig := &DialConfig{
-		UpstreamProxyUrl: config.UpstreamProxyUrl,
-		ConnectTimeout:   TUNNEL_CONNECT_TIMEOUT,
-		PendingConns:     pendingConns,
-		DeviceBinder:     config.DeviceBinder,
-		DnsServerGetter:  config.DnsServerGetter,
+		UpstreamProxyUrl:             config.UpstreamProxyUrl,
+		ConnectTimeout:               TUNNEL_CONNECT_TIMEOUT,
+		PendingConns:                 pendingConns,
+		DeviceBinder:                 config.DeviceBinder,
+		DnsServerGetter:              config.DnsServerGetter,
+		UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
+		SystemCACertificateDirectory: config.SystemCACertificateDirectory,
 	}
 	if useMeek {
 		conn, err = DialMeek(serverEntry, sessionId, frontingAddress, dialConfig)