3766ab2721
This diff modifies webconnectivity@v0.5 to take decisions regarding TLS blocking by using the response from the TH rather than using questionable heuristics based on inspecting the TLSHandshake list alone. This change should improve correctness _when_ we're using the improved TH, which is currently used for 50% of the probes. See https://github.com/ooni/probe/issues/2257 While there, modify `control.go` to specify which control is being used.
51 lines
1.4 KiB
Go
51 lines
1.4 KiB
Go
package webconnectivity
|
|
|
|
//
|
|
// TLS analysis
|
|
//
|
|
|
|
import "github.com/ooni/probe-cli/v3/internal/model"
|
|
|
|
// analysisTLSToplevel is the toplevel analysis function for TLS.
|
|
//
|
|
// This algorithm aims to flag the TLS endpoints that failed unreasonably
|
|
// compared to what the TH has observed for the same endpoints.
|
|
func (tk *TestKeys) analysisTLSToplevel(logger model.Logger) {
|
|
// if we don't have a control result, do nothing.
|
|
if tk.Control == nil || len(tk.Control.TLSHandshake) <= 0 {
|
|
return
|
|
}
|
|
|
|
// walk the list of probe results and compare with TH results
|
|
for _, entry := range tk.TLSHandshakes {
|
|
// skip successful entries
|
|
failure := entry.Failure
|
|
if failure == nil {
|
|
continue // did not fail
|
|
}
|
|
epnt := entry.Address
|
|
|
|
// TODO(bassosimone,kelmenhorst): if, in the future, we choose to
|
|
// adapt this code to QUIC, we need to remember to treat EHOSTUNREACH
|
|
// and ENETUNREACH specially when the IP address is IPv6.
|
|
|
|
// obtain the corresponding endpoint
|
|
ctrl, found := tk.Control.TLSHandshake[epnt]
|
|
if !found {
|
|
continue // only the probe tested this, so hard to say anything...
|
|
}
|
|
if ctrl.Failure != nil {
|
|
// If the TH failed as well, don't set XBlockingFlags. Performing
|
|
// precise error mapping should be a job for the pipeline.
|
|
continue
|
|
}
|
|
logger.Warnf(
|
|
"TLS: endpoint %s is blocked (see #%d): %s",
|
|
epnt,
|
|
entry.TransactionID,
|
|
*failure,
|
|
)
|
|
tk.BlockingFlags |= analysisFlagTLSBlocking
|
|
}
|
|
}
|