Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade baseline curl to 8.1.1 #160

Merged
merged 16 commits into from
Sep 15, 2023
Merged

Upgrade baseline curl to 8.1.1 #160

merged 16 commits into from
Sep 15, 2023

Conversation

lwthiker
Copy link
Owner

@lwthiker lwthiker commented May 26, 2023
edited
Loading

The new curl version includes bugfixes, new options but mainly websocket support which was long requested in curl-impersonate. This commit attempts to upgrade the baseline curl version to 8.1.1 for the Chrome version.

TODO:

  • Fix HTTP2 header and settings handling which was reworked in the upstream curl
  • Upgrade the Firefox version as well.
  • Test WebSocket handling. (will be postponed to a later PR)

@lwthiker
Upgrade baseline curl to 8.1.1
8dcee77 
New curl version includes bugfixes, new options but mainly websocket
support which was long requested in curl impersonate. This commit
attemps to upgrade the baseline curl version to 8.1.1 for the Chrome
version.
This was referenced May 26, 2023
Closed
Open
@lwthiker
Upgrade GitHub Mac runner to macos-12
403fed5 
Attempt to solve the macos build error by upgrading to a newer runner.
@lwthiker
Remove curl's conversion of gcc flags to -isystem
2d403c0 
On macos, clang gives priority to /usr/local/include
over locations specified with -isystem for some unknown reason. In turn
this causes clang to use the system's openssl, which conflicts with
curl-impersonate's boringssl headers.
To prevent that, disable curl's automatic conversion of -I flags to
-isystem.
@lwthiker
Fix arm32 linking
101a852
@lwthiker
Upgrade nghttp2 version to 1.56.0
9ffb085 
curl-8.1.1 uses an nghttp2 function that only exists in newer versions
of nghttp2.
@lwthiker
Fix http/2 setting and stream options for Chrome
3453420
@lwthiker
Copy link
Owner Author

lwthiker commented Sep 9, 2023

This seems to be finally working. Upstream curl reworked their http2 code which made this upgrade way more difficult than I had originally anticipated. Since this is a large patch, I'm going to leave it open for a couple of days and let anyone who might want to test it out before merging.

This also fixes the broken build on mac (#166)

@coderb
Copy link

coderb commented Sep 9, 2023

@lwthiker is there any way to access the binaries for linux x64? i'd like to test but i dont have a build environment setup. thanks for your effort, this project is fantastic!

@lwthiker lwthiker mentioned this pull request Sep 10, 2023
Closed
@lwthiker
Copy link
Owner Author

@coderb There you go: https://github.com/lwthiker/curl-impersonate/releases/tag/v0.6.0-alpha.1

@coderb
Copy link

coderb commented Sep 10, 2023

I still have issue #175 (firefox w/false start breaks) with the build (running up to debian bookworm system, tested on 2 systems).

$ ./curl_ff102 -k -v https://www.bing.com/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 13.107.21.200:443...
* Connected to www.bing.com (13.107.21.200) port 443 (#0)
* Initializing NSS with certpath: none
*  CAfile: none
*  CApath: none
* loaded libnssckbi.so
* ALPN: offers http/1.1,h2
* skipping SSL peer certificate verification
* Trying TLS False Start
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=www.bing.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US
*  start date: Jul 26 23:57:23 2023 GMT
*  expire date: Jan 22 23:57:23 2024 GMT
*  common name: www.bing.com
*  issuer: CN=Microsoft Azure TLS Issuing CA 05,O=Microsoft Corporation,C=US
* using HTTP/1.x
> GET / HTTP/1.1
> Host: www.bing.com
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Upgrade-Insecure-Requests: 1
> Sec-Fetch-Dest: document
> Sec-Fetch-Mode: navigate
> Sec-Fetch-Site: none
> Sec-Fetch-User: ?1
> TE: Trailers
>
* ALPN: server accepted h2
* Received HTTP/0.9 when not allowed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (1) Received HTTP/0.9 when not allowed

@lwthiker
Copy link
Owner Author

I can't reproduce it. When I run curl-impersonate on a debian bookworm docker it works fine.

I guess the solution would be to just remove the --false-start flag from the wrapper scripts. I don't think it has any effect over the browser fingerprint anyway. Let's keep it for a separate PR after I merge this.

@coderb
Copy link

coderb commented Sep 10, 2023

would it be possible for you to share the docker file or image somehow? i'd like to compare it to mine to track down the issue. thank you.

@coderb
Copy link

coderb commented Sep 10, 2023
edited
Loading

while doing some additional testing i did a library call using libcurl-impersonate-chrome.so to curl_easy_setopt(h, CURLOPT_SSL_FALSESTART, 1) and it returned the error code CURLE_NOT_BUILT_IN.

the command line scripts for chrome seem to include --false-start but run ok for me so my guess is that the command line handling is either not handling the option properly or ignore the error code from setopt.

running w/o the false start option doesn't seem to cause me any problems, but perhaps for completeness / stealthiness it does seem like there is a problem here if the native browsers actually have this feature enabled in their ssl stacks.

i tested the chrome .so for both the current release version and the alpha you published with the same result.

thanks

@coderb
Copy link

coderb commented Sep 10, 2023

ok, i just looked throught the current tip of the source tree for curl and from what i can tell there is very limited support for false start.

https://github.com/search?q=repo%3Acurl%2Fcurl%20false_start&type=code
it looks like maybe it's only supported for macos/ios using sectransp because the other ssl backends seem to be pointing their implementation to Curl_none_false_start.

this would all make sense, but you say it works for you somehow so i am a bit baffled.

@coderb
Copy link

coderb commented Sep 10, 2023
edited
Loading

oof, should have rtfm...

      --false-start
              (TLS) Tells curl to use false start during  the  TLS  hand‐
              shake.  False start is a mode where a TLS client will start
              sending application data before verifying the server's Fin‐
              ished  message,  thus saving a round trip when performing a
              full handshake.

              This is currently only implemented in the  NSS  and  Secure
              Transport  (on  iOS  7.0  or  later, or OS X 10.9 or later)
              backends.

              Added in 7.42.0.

So chrome shouldn't work....but the convenience scripts include the option.

For some reason my code search didn't pick up the NSS ssl provider code snippet.... will look into it.

@coderb
Copy link

coderb commented Sep 10, 2023

i just tried the docker runtime image (latest) and it fails:

$ docker pull lwthiker/curl-impersonate
$ docker run --rm lwthiker/curl-impersonate curl_ff109 https://www.bing.com/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (1) Received HTTP/0.9 when not allowed

@lwthiker
Copy link
Owner Author

ok so I managed to reproduce it by doing curl_ff109 -v -k https://13.107.21.200 (i.e. using the exact same IP address as yours). Something in this server makes curl initiate a false start using http/1.1, while the server chooses http/2 based on alpn (as noted in the logs you attached). It happens also with vanilla curl using nss and the --false-start flag, so it's a curl bug:

* Connected to 13.107.21.200 (13.107.21.200) port 443 (#0)
* Initializing NSS with certpath: none
* WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.
*  CAfile: none
*  CApath: none
* loaded libnssckbi.so
* ALPN: offers h2,http/1.1
* skipping SSL peer certificate verification
* Trying TLS False Start
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=www.bing.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US
*  start date: Jul 26 23:57:23 2023 GMT
*  expire date: Jan 22 23:57:23 2024 GMT
*  common name: www.bing.com
*  issuer: CN=Microsoft Azure TLS Issuing CA 05,O=Microsoft Corporation,C=US
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 13.107.21.200
> User-Agent: curl/8.1.1-DEV
> Accept: */*
> 
* ALPN: server accepted h2
* Received HTTP/0.9 when not allowed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (1) Received HTTP/0.9 when not allowed

I think removing this flag altogether would be best for now, especially given that upstream curl does not support nss anymore.

@lwthiker lwthiker merged commit d48a572 into main Sep 15, 2023
5 checks passed
@lwthiker lwthiker deleted the upgrade_curl_to_8_1_1 branch September 15, 2023 14:46
@lwthiker lwthiker mentioned this pull request Sep 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lwthiker @coderb