September 27, 2013

SSL Proxy Issue in Iran

دوستان عزیز

از چند روز پیش، ما گزارش های متعددی دریافت کردیم که سرویس اس اس ال پروکسی دچار مشکلاتی شده است و یوزرها به فیلترینگ برخورد میکنند. این تنها محدود به سروریس پروژه آی نیتا نبوده و همه ی سرویس دهنده های اس اس ال پروکسی با چنین مشکلی مواجه شده اند.

به نظر میاید که دولت ایران موفق شده هدر های تونلینگ اس اس ال را به نوعی تشخیص داده و از عبور آن جلوگیری کند. گزارش فنی دقیق ما را در زیر میتوانید مطالعه بفرمایید.

این مشکل دسترسی را به طور کامل قطع نکرده و وب سایت هایی مثل فیس بوک و توییتر و یوتیوب قابل دسترسی هستند، ولی بیشتر سایت های فیلتر شده دیگر قابل دسترسی نمیباشند.

تیم پروژه آی نیتا به دنبال راه حلی برای این مشکل است و به محض آماده شدن راه حلی برای این مشکل جدید، ما شما را در جریان امر قرار خواهیم داد.

Dear Friends;

Since a few days ago, we got multiple reports from our users that all the SSL Proxy servers are failing to cut through the Iranian government online censorship system. This was not only on our servers, other service providers on SSL proxy are suffering the same problem.

The issues is they somehow succeeded to detect SSL proxy packets ( they still let web SLL connections pass ) and kill the SSL proxy packets on the fly ( read the log below )

It did not completely killed the service, some websites are still usable with the SSL proxy system like Twitter and Facebook, but vast majority of other websites are not.

Project Ainita will continue working on a solution and will inform you as as soon as possible.

Error:

Client Side: [09.24 12:56:13] TrapsMonitor - xxx.xxx.xxx.xxx:80 error : Could not connect through proxy proxy.ainita.net:443 - Proxy server cannot establish a connection with the target, status code 504

Server Side: [09.24 10:43:51] The request cannot be processed properly due to damaged or insufficient headers. Error code 504 Error Description

A server (not necessarily a Web server) is acting as a gateway or proxy to fulfil the request by the client (e.g. your Web browser) to access the requested URL. This server did not receive a timely response from an upstream server it accessed to deal with your HTTP request.

This usually means that the upstream server is down (no response to the gateway/proxy), rather than that the upstream server and the gateway/proxy do not agree on the protocol for exchanging data. 504 errors in the HTTP cycle

Any client (e.g. your Web browser) goes through the following cycle when it communicates with the Web server:

• Obtain an IP address from the IP name of the site (the site URL without the leading 'http://'). This lookup (conversion of IP name to IP address) is provided by domain name servers (DNSs). • Open an IP socket connection to that IP address. • Write an HTTP data stream through that socket. • Receive an HTTP data stream back from the Web server in response. This data stream contains status codes whose values are determined by the HTTP protocol. Parse this data stream for status codes and other useful information. This error occurs in the final step above when the client receives an HTTP status code that it recognises as '504'.

This error happens when any proxy client tries to connect to any site (except Facebook and YouTube) via Squid Proxy Server.