Kazakhstan uses DPI to block Tor
Two blog posts published in the beginning of March talks about Kazakhstan using DPI to block Tor. The posts say that Kazakhstan is identifying and blocking the SSL client key exchange during the setup of an SSL connection. It seems the Kazakhstan firewall finds something unique in the TLS "Server Hello" message as sent by the Tor relay or bridge and therefore blocks subsequent communications. IP address and TCP port are irrelevant to the censorship.
From legacy/trac#6045 (moved) (where we discuss Ethiopia blocking Tor based on ServerHello), we know that:
- The normal Tor Browser Bundle with a special bridge works; the bridge with the patch that causes the final hello done TLS record to be sent in a separate packet.
- The three bridges in https://blog.torproject.org/blog/update-censorship-ethiopia are also working in Kazakhstan. These are bridges with a patch that removes 0x0039 from SERVER_CIPHER_LIST.