[forwardport] fix: avoid http3 for dns.google and www.google.com (#593) (#594)

This commit forward ports dedd84fa7ecb09f718f6b1a9c83999cb37b34dfa. Original commit message: - - - This diff changes code the release/3.11 branch to ensure we're not using dns.google and www.google.com over HTTP3. As documented in https://github.com/ooni/probe/issues/1873, since this morning (approx) these services do not support HTTP3 anymore. (I didn't bother with checking whether this issue affects _other_ Google services; I just limited my analysis to the services that we were using as part of testing.) This patch WILL require forward porting to the master branch.
2021-11-12 14:43:28 +01:00
parent 3dad324f09
commit 0a322ebab0
9 changed files with 90 additions and 33 deletions
@@ -28,8 +28,6 @@ var allmakers = []*resolvermaker{{
 	url: "http3://cloudflare-dns.com/dns-query",
 }, {
 	url: "https://dns.google/dns-query",
-}, {
-	url: "http3://dns.google/dns-query",
 }, {
 	url: "https://dns.quad9.net/dns-query",
 }, {
@@ -8,9 +8,10 @@ import (
 	"github.com/lucas-clemente/quic-go"
 	errorsxlegacy "github.com/ooni/probe-cli/v3/internal/engine/legacy/errorsx"
 	"github.com/ooni/probe-cli/v3/internal/netxlite"
+	"github.com/ooni/probe-cli/v3/internal/netxlite/quictesting"
 )

-func TestErrorWrapperQUICDialerInvalidCertificate(t *testing.T) {
+func TestErrorWrapperQUICDialerFailure(t *testing.T) {
 	nextprotos := []string{"h3"}
 	servername := "example.com"
 	tlsConf := &tls.Config{
@@ -21,17 +22,16 @@ func TestErrorWrapperQUICDialerInvalidCertificate(t *testing.T) {
 	dlr := &errorsxlegacy.ErrorWrapperQUICDialer{Dialer: &netxlite.QUICDialerQUICGo{
 		QUICListener: &netxlite.QUICListenerStdlib{},
 	}}
-	// use Google IP
 	sess, err := dlr.DialContext(context.Background(), "udp",
-		"216.58.212.164:443", tlsConf, &quic.Config{})
+		quictesting.Endpoint("443"), tlsConf, &quic.Config{})
 	if err == nil {
 		t.Fatal("expected an error here")
 	}
 	if sess != nil {
 		t.Fatal("expected nil sess here")
 	}
-	if err.Error() != netxlite.FailureSSLInvalidCertificate {
-		t.Fatal("unexpected failure")
+	if err.Error() != netxlite.FailureSSLFailedHandshake {
+		t.Fatal("unexpected failure", err.Error())
 	}
 }

@@ -39,12 +39,12 @@ func TestErrorWrapperQUICDialerSuccess(t *testing.T) {
 	ctx := context.Background()
 	tlsConf := &tls.Config{
 		NextProtos: []string{"h3"},
-		ServerName: "www.google.com",
+		ServerName: quictesting.Domain,
 	}
 	d := &errorsxlegacy.ErrorWrapperQUICDialer{Dialer: &netxlite.QUICDialerQUICGo{
 		QUICListener: &netxlite.QUICListenerStdlib{},
 	}}
-	sess, err := d.DialContext(ctx, "udp", "216.58.212.164:443", tlsConf, &quic.Config{})
+	sess, err := d.DialContext(ctx, "udp", quictesting.Endpoint("443"), tlsConf, &quic.Config{})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -12,6 +12,7 @@ import (
 	"github.com/ooni/probe-cli/v3/internal/engine/netx/quicdialer"
 	"github.com/ooni/probe-cli/v3/internal/engine/netx/trace"
 	"github.com/ooni/probe-cli/v3/internal/netxlite"
+	"github.com/ooni/probe-cli/v3/internal/netxlite/quictesting"
 )

 type MockDialer struct {
@@ -30,7 +31,7 @@ func (d MockDialer) DialContext(ctx context.Context, network, host string,

 func TestHandshakeSaverSuccess(t *testing.T) {
 	nextprotos := []string{"h3"}
-	servername := "www.google.com"
+	servername := quictesting.Domain
 	tlsConf := &tls.Config{
 		NextProtos: nextprotos,
 		ServerName: servername,
@@ -43,7 +44,7 @@ func TestHandshakeSaverSuccess(t *testing.T) {
 		Saver: saver,
 	}
 	sess, err := dlr.DialContext(context.Background(), "udp",
-		"216.58.212.164:443", tlsConf, &quic.Config{})
+		quictesting.Endpoint("443"), tlsConf, &quic.Config{})
 	if err != nil {
 		t.Fatal("unexpected error", err)
 	}
@@ -57,7 +58,7 @@ func TestHandshakeSaverSuccess(t *testing.T) {
 	if ev[0].Name != "quic_handshake_start" {
 		t.Fatal("unexpected Name")
 	}
-	if ev[0].TLSServerName != "www.google.com" {
+	if ev[0].TLSServerName != quictesting.Domain {
 		t.Fatal("unexpected TLSServerName")
 	}
 	if !reflect.DeepEqual(ev[0].TLSNextProtos, nextprotos) {
@@ -78,7 +79,7 @@ func TestHandshakeSaverSuccess(t *testing.T) {
 	if !reflect.DeepEqual(ev[1].TLSNextProtos, nextprotos) {
 		t.Fatal("unexpected TLSNextProtos")
 	}
-	if ev[1].TLSServerName != "www.google.com" {
+	if ev[1].TLSServerName != quictesting.Domain {
 		t.Fatal("unexpected TLSServerName")
 	}
 	if ev[1].Time.Before(ev[0].Time) {
@@ -101,7 +102,7 @@ func TestHandshakeSaverHostNameError(t *testing.T) {
 		Saver: saver,
 	}
 	sess, err := dlr.DialContext(context.Background(), "udp",
-		"216.58.212.164:443", tlsConf, &quic.Config{})
+		quictesting.Endpoint("443"), tlsConf, &quic.Config{})
 	if err == nil {
 		t.Fatal("expected an error here")
 	}
@@ -115,8 +116,7 @@ func TestHandshakeSaverHostNameError(t *testing.T) {
 		if ev.NoTLSVerify == true {
 			t.Fatal("expected NoTLSVerify to be false")
 		}
-		if !strings.Contains(ev.Err.Error(),
-			"certificate is valid for www.google.com, not "+servername) {
+		if !strings.HasSuffix(ev.Err.Error(), "tls: handshake failure") {
 			t.Fatal("unexpected error", ev.Err)
 		}
 	}
@@ -12,6 +12,7 @@ import (
 	"github.com/ooni/probe-cli/v3/internal/engine/netx/trace"
 	"github.com/ooni/probe-cli/v3/internal/netxlite"
 	"github.com/ooni/probe-cli/v3/internal/netxlite/mocks"
+	"github.com/ooni/probe-cli/v3/internal/netxlite/quictesting"
 	"github.com/ooni/probe-cli/v3/internal/netxlite/quicx"
 )

@@ -42,7 +43,7 @@ func TestSystemDialerSuccessWithReadWrite(t *testing.T) {
 	// This is the most common use case for collecting reads, writes
 	tlsConf := &tls.Config{
 		NextProtos: []string{"h3"},
-		ServerName: "www.google.com",
+		ServerName: quictesting.Domain,
 	}
 	saver := &trace.Saver{}
 	systemdialer := &netxlite.QUICDialerQUICGo{
@@ -52,7 +53,7 @@ func TestSystemDialerSuccessWithReadWrite(t *testing.T) {
 		},
 	}
 	_, err := systemdialer.DialContext(context.Background(), "udp",
-		"216.58.212.164:443", tlsConf, &quic.Config{})
+		quictesting.Endpoint("443"), tlsConf, &quic.Config{})
 	if err != nil {
 		t.Fatal(err)
 	}