Unable to use Russian Hola proxies (from Europe, if it matters)
Vangelis66 opened this issue Β· comments
Hi, hope you're well π - many thanks for hola-proxy π
Due to the ongoing conflict in Ukraine, the EU has blocked most Russian services inside its members (I believe the same is true for many European services inside Russia); so I thought of using a Russian Hola proxy, to temporarily evade the block π ; the initialization appears to complete fine, but any subsequent CONNECT request fails due to certificate errors:
hp -country ru -proxy-type direct -dont-use-trial =>
MAIN : 2023/06/27 01:42:57 main.go:190: WARNING Detected latest extension version: "1.212.133". Pass -ext-ver parameter to skip resolve and speedup startup
MAIN : 2023/06/27 01:42:57 main.go:198: INFO hola-proxy client version v1.9.1 is starting...
MAIN : 2023/06/27 01:42:57 main.go:199: INFO Constructing fallback DNS upstream...
MAIN : 2023/06/27 01:42:57 main.go:206: INFO Initializing configuration provider...
MAIN : 2023/06/27 01:42:58 main.go:220: INFO Endpoint: https://zagent193.hola.org:22222
MAIN : 2023/06/27 01:42:58 main.go:221: INFO Starting proxy server...
MAIN : 2023/06/27 01:42:58 main.go:223: INFO Init complete.... but then:
PROXY : 2023/06/27 01:47:49 handler.go:104: INFO Request: 127.0.0.1:7161 HTTP/1.1 CONNECT //dzen.ru:443
PROXY : 2023/06/27 01:47:49 handler.go:104: INFO Request: 127.0.0.1:7164 HTTP/1.1 CONNECT //dzen.ru:443
PROXY : 2023/06/27 01:47:50 handler.go:49: ERROR Can't satisfy CONNECT request: x509: certificate is valid for *.hola-vpn.com, hola-vpn.com, not zagent193.hola.org
PROXY : 2023/06/27 01:47:50 handler.go:49: ERROR Can't satisfy CONNECT request: x509: certificate is valid for *.hola-vpn.com, hola-vpn.com, not zagent193.hola.orgKindly advise on how to proceed...
Thanks in advance β€οΈ ...
Hi!
Try US servers then. Looks like RU servers misbehaving, I can't do anything about that.
Thanks for your reply π ; well, yes, the US (as well as the rest of the) servers do work as expected currently, however they're no good for accessing media content restricted to Russian IPs, only (e.g. Russian TV stations) π ; in any case, since nothing can be done on the app's side, thanks once again for the stupendous app itself! π
Regards.
Same issue.
The TLS cert query for hola-vpn.com returns:
Resolving 'hola-vpn.com:443'...
Connecting to '54.225.121.9:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject
CN=*.hola-vpn.com', issuerCN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x3e55a35a949a9a5247a1d7f682eff230, RSA key 2048 bits, signed using RSA-SHA256, activated2023-02-27 00:00:00 UTC', expires2024-03-06 23:59:59 UTC'
For zagent*.hola.org:
Resolving 'zagent98.hola.org:22225'...
Connecting to '46.3.85.4:22225'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject
CN=*.hola.org', issuerCN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00ac79a008a5421c49687dd1e737af49f7, RSA key 2048 bits, signed using RSA-SHA256, activated2023-05-21 00:00:00 UTC', expires2024-05-29 23:59:59 UTC'
Pay attention to the activation date (2023-05-21). Is it when the problems first began?
So should we assume that its a misconfiguration rather than MITM?
Maybe you can 'whitelist' the domain and its' wildcard for *.hola-vpn.com ?
Apparently it is happening because hola-proxy uses TLS handshakes without SNI (purposely). But since you're dialing from outside of Russia, it doesn't make much sense and regular handshakes can be used.
Please try new option -hide-SNI=false to change that behavior. At least in my tests it worked fine.
Works like charm now :) Thanks ! +1 star
Please try new option
-hide-SNI=false
to change that behavior. At least in my tests it worked fine.
... It should also be noted that, at least in my case, the = sign between the switch and its boolean value was needed for "this" (RU Hola proxies) to work:
hp -country ru -hide-SNI false -dont-use-trial =>
MAIN : 2023/08/08 01:36:45 main.go:192: WARNING Detected latest extension version: "1.213.207". Pass -ext-ver parameter to skip resolve and speedup startup
MAIN : 2023/08/08 01:36:45 main.go:200: INFO hola-proxy client version v1.10.0 is starting...
MAIN : 2023/08/08 01:36:45 main.go:201: INFO Constructing fallback DNS upstream...
MAIN : 2023/08/08 01:36:45 main.go:208: INFO Initializing configuration provider...
MAIN : 2023/08/08 01:36:46 main.go:222: INFO Endpoint: https://zagent97.hola.org:22225
MAIN : 2023/08/08 01:36:46 main.go:223: INFO Starting proxy server...
MAIN : 2023/08/08 01:36:46 main.go:225: INFO Init complete.
PROXY : 2023/08/08 01:36:56 handler.go:104: INFO Request: 127.0.0.1:4191 HTTP/1.1 CONNECT //www.bing.com:443
PROXY : 2023/08/08 01:36:56 handler.go:49: ERROR Can't satisfy CONNECT request: x509: certificate is valid for *.hola-vpn.com, hola-vpn.com, not zagent97.hola.org... but:
hp -country ru -hide-SNI=false -dont-use-trial =>
MAIN : 2023/08/08 01:39:59 main.go:192: WARNING Detected latest extension version: "1.213.207". Pass -ext-ver parameter to skip resolve and speedup startup
MAIN : 2023/08/08 01:39:59 main.go:200: INFO hola-proxy client version v1.10.0 is starting...
MAIN : 2023/08/08 01:39:59 main.go:201: INFO Constructing fallback DNS upstream...
MAIN : 2023/08/08 01:39:59 main.go:208: INFO Initializing configuration provider...
MAIN : 2023/08/08 01:40:00 main.go:222: INFO Endpoint: https://zagent97.hola.org:22225
MAIN : 2023/08/08 01:40:00 main.go:223: INFO Starting proxy server...
MAIN : 2023/08/08 01:40:00 main.go:225: INFO Init complete.
PROXY : 2023/08/08 01:40:07 handler.go:104: INFO Request: 127.0.0.1:4204 HTTP/1.1 CONNECT //www.bing.com:443
PROXY : 2023/08/08 01:40:12 handler.go:104: INFO Request: 127.0.0.1:4207 HTTP/1.1 CONNECT //r.bing.com:443Up to (and including) v1.9.1, it was never obligatory for me π to include the equals (=) sign between a switch and its value for things to work; e.g., I just type -country ru and not -country=ru; @Snawoot, any comment, please, as to why -hide-SNI is now "special" in this regard?
As ever, many praises for your tool π₯ ...
... It should also be noted that, at least in my case, the
=sign between the switch and its boolean value was needed for "this" (RU Hola proxies) to work:
It's quite common for flag module from golang standard library: https://pkg.go.dev/flag#hdr-Command_line_flag_syntax
It's documentation states:
The following forms are permitted:
-flag --flag // double dashes are also permitted -flag=x -flag x // non-boolean flags only
Since hide-SNI is a boolean flag, last form is not permitted. And because first or second form sets only true value, we have to use third form to override default true to false. Hence = is required in that case.
flag module is a bit clunky but at least doesn't require me to bring a lot of external depencencies into the code, just stdlib mostly.
Many thanks for your almost instant and most informative reply β€οΈ ; I see now:
You must use the -flag=false form to turn off a boolean flag.
If it wasn't obvious already π , I'm a user on Windows and the majority of the CLIs I use there (built on perl/python/C/C++/etc.) with optional commandline switches don't have = as a mandatory requirement π , hence my habit of not including it...
Thanks again for the support, keep up your fine job π₯ !