[Peer Review Request]Restls: A Perfect Impersonation of TLS Handshake

[3andne]

Hi there,
I hope you are having a good day.
We're currently working on a brand new protocol named Restls which can be used as an extension to Shadowsocks. It shares a similar goal with ShadowTLS to circumvent GFW whitelisting but fixes ShadowTLS' fundamental flaw of not being able to provide server authentication. Such flaw might be utilized by GFW and blocks ShadowTLS precisely.
If that sounds good, you might want to take a look at the draft:
Restls: A Perfect Impersonation of TLS Handshake
You can find a proof-of-concept implementation in the same repo.
----------------------
你们好，
希望你们一切顺利。
我们正在设计一个新的协议，名为Restls，它可以作为Shadowsocks的插件使用。它的目标与ShadowTLS类似——绕过GFW的白名单机制，但它试图解决ShadowTLS在协议设计中未能实现的服务端认证，从而避免被准确封杀。
如果你觉得这听起来还行，你或许想看一看这个协议的设计稿：
Restls: 对TLS握手的完美伪装
这个仓库同样包含了一个实现以及其使用方式。

[3andne]

This extension (as well as ShadowTLS) would potentially change the 0-rtt nature of Shadowsocks. As of now Restls is only able to parrot TLS handshake. To achieve an overall perfect impersonation, we might need deeper integration with Shadowsocks so that Restls gets more context when an anomaly is detected on the Shadowsocks side. That would allow us to send TLS Alerts accordingly. So far Shadowsocks only resets the connection when an error happens.

[madeye]

It would be lovely to implement SIP003 client mode in your restls as well, so that shadowsocks users can use it as a plugin directly.

Some reference SIP003 Rust code here: https://github.com/shadowsocks/qtun/blob/master/src/args/mod.rs

[Mygod]

This sounds like a good idea but I'm not sure. TLS is very complicated so I expect any TLS-based obfuscation would be very prone to loopholes and errors. @gfw-report Any thoughts, or ideas as for where to find people could review this design?

[Mygod]

Oh I suppose you can post it to https://github.com/net4people/bbs/issues to see what people there think about this.

[3andne]

@Mygod Thanks for the nice suggestion.