Is it possible to modify TLS handshake in C# HttpClient on .NET Core

About

Asked 28/7, 2020 at 9:18 Answered 28/7, 2020 at 9:18

Apparently, CloudFlare now has some kind of a whitelist for the possible TLS handshake parameters for every known browser. Thus, when I'm sending HTTPS requests using HttpClient, CloudFlare considers it a bot and at the very minimum presents a captcha. The captcha itself is not a problem, I'm using a browser to ask the user to pass it. However, some websites apparently block some requests even after passing the captcha just because the TLS handshake was not whitelisted by CloudFlare.

So I've digged into the .NET Core source to see if I can modify the way TLS handshake packet is built. Unfortunately, it seems that .NET Core itself doesn't build it itself but rather delegates it to the underlying library (OpenSSL on Linux / standard Windows)... Is the only solution to write my own SSL library?... Sounds like a task for many months.

Removable answered 28/7, 2020 at 9:18 Comment(10)

Didn't know that HttpClient use some different behavior for TLS handshake than regular browser. Do you mean explicit TLS version change? Consider HttpClientHandler class to change some connection properties. Using custom TLS implementation is a kind of insecure way to interact with web. – Laevo 28/7, 2020 at 10:24

What is different is the set of the ciphers, hashing algorithms, etc. allowed to use. Based on this information CloudFlare is building a "fingerprint" that differs between different browsers and apps. They then compare it with the UserAgent specified to determine if the browser is really what UserAgent says it is. – Removable 28/7, 2020 at 11:42

I think that's possible to customize the cipher set. – Laevo 28/7, 2020 at 12:19

It is indeed, on Linux/OSX only though. CloudFlare checks more parameters though, not only the cipher set. – Removable 29/7, 2020 at 7:51

CloudFlare is team of IT security proffesionals. Do you really want to break through protection system written for years by the team of professionals, within one question on StackOverflow? Good luck :) You can break through TLS, but for Proof-of-Work script passing you need to execute JS, anyway. Maybe some headless browser is more friendly solution then? – Laevo 29/7, 2020 at 8:51

I don't want to break their protection system, I just need to find a workaround for the TLS issue because other possible verifications (captcha, JS test) are easy to pass by asking the user to help with that. We have to make their system to believe we're not a bot in the subsequent requests after passing those tests. That's what the issue is. And by the way we're not doing anything harmful for the target server, just merely helping the users to do something completely legal and even beneficial for the website. – Removable 29/7, 2020 at 9:19

Anyway, consider, how will you pass PoW script that only checks if the real browser is running. – Laevo 29/7, 2020 at 11:32

@Removable did you find any solution about this? – Trepidation 28/1, 2022 at 12:38

@Trepidation Nope, I had to switch to a commercial HTTPS library to do the requests. – Removable 30/1, 2022 at 16:5

@Removable can you tells us what library solved the issue for you? it would be useful – Mercurio 11/3, 2022 at 16:48

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags