[GH-ISSUE #84] CDN mode not working: transport TLS in correct format but not Cloak: cipher: message authentication failed #74

New issue

Open

opened 2026-02-26 12:33:54 +03:00 by kerem · 2 comments

kerem commented 2026-02-26 12:33:54 +03:00

Owner

Copy link

Originally created by @NuLL3rr0r on GitHub (Dec 25, 2019).
Original GitHub issue: https://github.com/cbeuw/Cloak/issues/84

As it can be seen the domain fronting works with curl:

$ curl -s -H "Host: mamadou-verizon-c1.azureedge.net" https://ajax.aspnetcdn.com
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
		<title>404 - Not Found</title>
	</head>
	<body>
		<h1>404 - Not Found</h1>
	</body>
</html>

But when I try it with Cloak, the Cloak log says:

WARN[0147] transport TLS in correct format but not Cloak: cipher: message authentication failed  UID= encryptionMethod=0 proxyMethod= remoteAddr="XXX.XXX.XXX.XXX:34095" sessionId=0

And the client says:

ERRO[0012] Failed to prepare connection to remote: failed to handshake: malformed HTTP response "\x00\x00\x1e\x04\x00\x00\x00\x00\x00\x00\x01\x00\x00\x10\x00\x00\x03\x00\x00\x00d\x00\x04\x00\x10\x00\x00\x00\x05\x00\x00@\x00\x00\x06\x00\x00@\x00\x00\x00\x04\b\x00\x00\x00\x00\x00\x00\x0f\x00\x01\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" 

Of course, if I set it to direct instead of CDN it works.

My Shadowsocks config:

{
    "server":"XXX.XXX.XXX.XXX",
    "server_port":443,
    "local_address":"127.0.0.1",
    "local_port":1080,
    "user":"nobody",
    "password":"PASSWORD",
    "timeout":600,
    "method":"chacha20-ietf-poly1305",
    "mode":"tcp_and_udp",
    "reuse_port":true,
    "fast_open":true,
    "no-delay":true,
    "plugin":"/usr/local/bin/ck-client",
    "plugin_opts":"/etc/shadowsocks-libev/ckclient.json"
}

My cloak ckclient.json:

{
  "Transport": "CDN",
  "ProxyMethod": "shadowsocks",
  "EncryptionMethod": "plain",
  "UID": "ADMINUID",
  "PublicKey": "PUBLICKEY",
  "ServerName": "ajax.aspnetcdn.com",
  "NumConn": 4,
  "BrowserSig": "chrome",
  "StreamTimeout": 300
}

My ckserver.json on Azure VPS:

{
  "ProxyBook": {
    "shadowsocks": [
      "tcp",
      "127.0.0.1:8388"
    ],
    "openvpn": [
      "udp",
      "127.0.0.1:8389"
    ],
    "tor": [
      "tcp",
      "127.0.0.1:9001"
    ]
  },
  "BindAddr": [
    ":443",
    ":80"
  ],
  "BypassUID": [
    "ADMINUID"
  ],
  "RedirAddr": "ajax.aspnetcdn.com",
  "PrivateKey": "PRIVATEKEY",
  "AdminUID": "ADMINUI",
  "DatabasePath": "userinfo.db",
  "StreamTimeout": 300
}

Any ideas?

Originally created by @NuLL3rr0r on GitHub (Dec 25, 2019). Original GitHub issue: https://github.com/cbeuw/Cloak/issues/84 As it can be seen the domain fronting works with curl: ``` $ curl -s -H "Host: mamadou-verizon-c1.azureedge.net" https://ajax.aspnetcdn.com <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>404 - Not Found</title> </head> <body> <h1>404 - Not Found</h1> </body> </html> ``` But when I try it with Cloak, the Cloak log says: ``` WARN[0147] transport TLS in correct format but not Cloak: cipher: message authentication failed UID= encryptionMethod=0 proxyMethod= remoteAddr="XXX.XXX.XXX.XXX:34095" sessionId=0 ``` And the client says: ``` ERRO[0012] Failed to prepare connection to remote: failed to handshake: malformed HTTP response "\x00\x00\x1e\x04\x00\x00\x00\x00\x00\x00\x01\x00\x00\x10\x00\x00\x03\x00\x00\x00d\x00\x04\x00\x10\x00\x00\x00\x05\x00\x00@\x00\x00\x06\x00\x00@\x00\x00\x00\x04\b\x00\x00\x00\x00\x00\x00\x0f\x00\x01\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" ``` Of course, if I set it to direct instead of CDN it works. My Shadowsocks config: ``` { "server":"XXX.XXX.XXX.XXX", "server_port":443, "local_address":"127.0.0.1", "local_port":1080, "user":"nobody", "password":"PASSWORD", "timeout":600, "method":"chacha20-ietf-poly1305", "mode":"tcp_and_udp", "reuse_port":true, "fast_open":true, "no-delay":true, "plugin":"/usr/local/bin/ck-client", "plugin_opts":"/etc/shadowsocks-libev/ckclient.json" } ``` My cloak ckclient.json: ``` { "Transport": "CDN", "ProxyMethod": "shadowsocks", "EncryptionMethod": "plain", "UID": "ADMINUID", "PublicKey": "PUBLICKEY", "ServerName": "ajax.aspnetcdn.com", "NumConn": 4, "BrowserSig": "chrome", "StreamTimeout": 300 } ``` My ckserver.json on Azure VPS: ``` { "ProxyBook": { "shadowsocks": [ "tcp", "127.0.0.1:8388" ], "openvpn": [ "udp", "127.0.0.1:8389" ], "tor": [ "tcp", "127.0.0.1:9001" ] }, "BindAddr": [ ":443", ":80" ], "BypassUID": [ "ADMINUID" ], "RedirAddr": "ajax.aspnetcdn.com", "PrivateKey": "PRIVATEKEY", "AdminUID": "ADMINUI", "DatabasePath": "userinfo.db", "StreamTimeout": 300 } ``` Any ideas?

kerem commented 2026-02-26 12:33:54 +03:00

Author

Owner

Copy link

@NuLL3rr0r commented on GitHub (Dec 25, 2019):

More debugging information with curl:

curl -v -H "Host: mamadou-verizon-c1.azureedge.net" https://ajax.aspnetcdn.com
*   Trying 152.199.19.160:443...
* TCP_NODELAY set
* Connected to ajax.aspnetcdn.com (152.199.19.160) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.vo.msecnd.net
*  start date: Mar 30 17:48:56 2018 GMT
*  expire date: Mar 30 17:48:56 2020 GMT
*  subjectAltName: host "ajax.aspnetcdn.com" matched cert's "*.aspnetcdn.com"
*  issuer: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; OU=Microsoft IT; CN=Microsoft IT TLS CA 2
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: mamadou-verizon-c1.azureedge.net
> User-Agent: curl/7.67.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Type: text/html
< Date: Wed, 25 Dec 2019 04:22:50 GMT
< Server: ECAcc (lha/8DD0)
< Content-Length: 345
< 
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
		<title>404 - Not Found</title>
	</head>
	<body>
		<h1>404 - Not Found</h1>
	</body>
</html>
* Connection #0 to host ajax.aspnetcdn.com left intact

<!-- gh-comment-id:568835324 --> @NuLL3rr0r commented on GitHub (Dec 25, 2019): More debugging information with curl: ``` curl -v -H "Host: mamadou-verizon-c1.azureedge.net" https://ajax.aspnetcdn.com * Trying 152.199.19.160:443... * TCP_NODELAY set * Connected to ajax.aspnetcdn.com (152.199.19.160) port 443 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=*.vo.msecnd.net * start date: Mar 30 17:48:56 2018 GMT * expire date: Mar 30 17:48:56 2020 GMT * subjectAltName: host "ajax.aspnetcdn.com" matched cert's "*.aspnetcdn.com" * issuer: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; OU=Microsoft IT; CN=Microsoft IT TLS CA 2 * SSL certificate verify ok. > GET / HTTP/1.1 > Host: mamadou-verizon-c1.azureedge.net > User-Agent: curl/7.67.0 > Accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Mark bundle as not supporting multiuse < HTTP/1.1 404 Not Found < Content-Type: text/html < Date: Wed, 25 Dec 2019 04:22:50 GMT < Server: ECAcc (lha/8DD0) < Content-Length: 345 < <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>404 - Not Found</title> </head> <body> <h1>404 - Not Found</h1> </body> </html> * Connection #0 to host ajax.aspnetcdn.com left intact ```

kerem commented 2026-02-26 12:33:54 +03:00

Author

Owner

Copy link

@cbruegg commented on GitHub (May 17, 2021):

I believe the problem is that Azure CDN maps HTTP to HTTP and HTTPS to HTTPS, i.e. when you access http://yourcdn.azureedge.net, it forwards to http://yourorigin.azureedge.net and when you access https://yourcdn.azureedge.net, it forwards to https://yourorigin.azureedge.net. With the former, Azure CDN doesn't expect a TLS connection, so it doesn't work. With the latter, Azure tries to establish a real TLS connection to the origin, which also cannot result in a working tunnel.

This actually even affects non-fronted setups. I haven't been able to set up the normal CDN mode of Cloak with Azure either.

<!-- gh-comment-id:842568274 --> @cbruegg commented on GitHub (May 17, 2021): I believe the problem is that Azure CDN maps HTTP to HTTP and HTTPS to HTTPS, i.e. when you access http://yourcdn.azureedge.net, it forwards to http://yourorigin.azureedge.net and when you access https://yourcdn.azureedge.net, it forwards to https://yourorigin.azureedge.net. With the former, Azure CDN doesn't expect a TLS connection, so it doesn't work. With the latter, Azure tries to establish a real TLS connection to the origin, which also cannot result in a working tunnel. This actually even affects non-fronted setups. I haven't been able to set up the normal CDN mode of Cloak with Azure either.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/go-github.com-refraction-networking-utls-vulnerability

dependabot/go_modules/golang.org/x/crypto-0.45.0

utls-1.7.0

deps-20250430

padding

docker-tests

ptspec

legacy-v1

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1-pre

v2.7.0

v2.6.1

v2.6.0

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.2

v2.3.1

v2.3.0

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.2.0

v0.1.0

Labels

Clear labels   

pull-request

Mirrored from GitHub Pull Request

No labels

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/Cloak#74

No description provided.