[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[tor-talk] FortiGuard firewall blocks meek by TLS signature
Recently, we had reports of Cyberoam firewalls blocking meek by TLS
I got a similar report, this time for a FortiGuard firewall.
The story is basically the same as last time: the firewall looks for TLS
that has the signature of a specific version of Firefox and is also
destined to one of the default front domains. This time it is the
signature of Firefox 45 they're looking for. They also were not blocking
the domain www.google.com, so meek-google would work if it hadn't been
shut down recently.
Here are workarounds to try if you find yourself in this situation. See
also: What to do if meek gets blocked.
First try changing the front domain. This is easy to do; you don't have
to edit any files.
These alternative bridge lines worked in this case:
Bridge meek 0.0.2.0:2 url=https://d2zfqthxsdq309.cloudfront.net/ front=d2ko15wevu3ps3.cloudfront.net
Bridge meek 0.0.2.0:3 url=https://az786092.vo.msecnd.net/ front=ajax.microsoft.com
The second workaround is to disable the Firefox TLS camouflage and use
naked Golang TLS. To do that, edit the file
Browser/TorBrowser/Data/Tor/torrc-defaults and change the line
ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client-torbrowser -- TorBrowser\Tor\PluggableTransports\meek-client
ClientTransportPlugin meek exec TorBrowser\Tor\PluggableTransports\terminateprocess-buffer TorBrowser\Tor\PluggableTransports\meek-client
I.e., remove the meek-client-torbrowser wrapper program. The format of
the line will differ slightly depending on your operating system, but it
should be pretty easy to figure out.
The third workaround is to set up your own App Engine app. This isn't
very hard to do. Instructions are here:
tor-talk mailing list - firstname.lastname@example.org
To unsubscribe or change other settings go to