[tbb-bugs] #23945 [Applications/Tor Browser]: Unable to Connect to Tor via a Proxy at 127.0.0.0/8
    Tor Bug Tracker & Wiki 
    blackhole at torproject.org
       
    Sun Oct 22 13:47:37 UTC 2017
    
    
  
#23945: Unable to Connect to Tor via a Proxy at 127.0.0.0/8
------------------------------------------+----------------------
     Reporter:  cypherpunks               |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Major                     |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 During the initial startup, Tor Browser allows users to connect via a
 bridge or proxy to bypass restrictive firewalls. However, if the proxy
 server listens at 127.0.0.0/8, it's not possible to establish a connection
 to the Tor network, rendering Tor Browser useless.
 It's known to affect every version of Tor Browser Bundle, TBB on Tails OS
 is also affected. Proxies at other private network ranges, such as
 192.168.0.0/16, is not affected. Because a proxy server at 127.0.0.1 is
 provided by common tools (e.g. OpenSSH) and more than useful to bypass
 Internet censorship, this issue greatly affects the usability of Tor
 Browser Bundle, especially in places where Internet is censored and
 anonymity is urgently needed, the bug is qualified as "major" and should
 be fixed as soon as possible.
 Currently, if users want to use a proxy at the range of 127.0.0.0/8, one
 can work around this issue by using a bridge and a local proxy at the same
 time. After connected, it's even possible to turn off the bridge
 afterwards via Tor Button, and use the local proxy alone.
 The "torrc" files produced by Tor Browser Bundle has been inspected by the
 reporter, a suspicious difference is found and believed to be the cause of
 the bug.
 == Reproduce
 1. Start a "SOCKS 5" proxy at 127.0.0.1, e.g. "ssh user at server -D 8080".
 2. Start Tor Browser Bundle.
 3. Choose "This computer's Internet connection is censored or proxied".
 4. "Does your ISP block or otherwise censor connections?" Answer "No".
 5. "Does this computer need to use a local proxy?" Answer "Yes".
 6. Enter the "SOCKS 5" proxy at 127.0.0.1 and its port, e.g. 127.0.0.1,
 port 8080.
 7. Tor Status showed Tor was trying to establishing a connection, but wait
 at here indefinitely.
 8. Tor failed to establish a Tor network connection.
 See Appendix 1 and Appendix 2 for connection logs and generated "torrc"
 file.
 == Workaround
 One can workaround this issue by using a bridge and a local proxy at the
 same time.
 1. Repeat Step 1, 2, 3 in "Reproduce".
 2. "Does your ISP block or otherwise censor connections?" Answer "Yes".
 3. "Does this computer need to use a local proxy?" Answer "Yes".
 4. Select a builtin obfs4 transport.
 5. Enter the "SOCKS 5" proxy at 127.0.0.1 and its port, e.g. 127.0.0.1,
 port 8080.
 6. Tor connected to the network.
 See Appendix 3 for generated "torrc" file.
 == Further Workaround
 After connected Tor network, it's even possible to remove the bridge, and
 Tor continues to work via the proxy server alone.
 1. Repeat all steps in "Workaround".
 2. Click Tor Button.
 3. Disable "My ISP blocks connections to the Tor network".
 4. Ensure "This computer goes through a firewall that only allows
 connections to certain ports" is not select, per default.
 See Appendix 4 for generated "torrc" file.
 == Further Reproduce
 1. Repeat Stop 1, 2.
 2. Enable "This computer goes through a firewall that only allows
 connections to certain ports".
 3. Ensure "Allowed ports" are "80,443" per default.
 Tor Browser will stop working, and generated "torrc" is identical to the
 initial broken one in "Reproduce" (Appendix 2).
 == Identifying the Issue
 Comparing the "torrc" files generated each time, it's identified that
 these three lines only appears in "Reproduce".
 {{{
 ReachableAddresses *:80,*:443
 ReachableAddresses reject *:*
 ReachableAddresses reject *:*
 }}}
 It looks like for some reasons, These options prepared for fascist
 firewall can not be used with Socks5Proxy at the same time, at least for
 those listen on 127.0.0.1.
 == Appendix 1: Logs for "Workaround".
 {{{
 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control
 network connections. Shutting down all existing connections.
 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control
 network connections. Shutting down all existing connections.
 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control
 network connections. Shutting down all existing connections.
 [NOTICE] Opening Socks listener on 127.0.0.1:9150
 [NOTICE] Bootstrapped 5%: Connecting to directory server
 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control
 network connections. Shutting down all existing connections.
 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
 [WARN] Problem bootstrapping. Stuck at 10%: Finishing handshake with
 directory server. (DONE; DONE; count 10; recommendation warn; host
 [REDACTED] at [REDACTED]:80)
 [WARN] 10 connections have failed:
 [WARN]  10 connections died in state handshaking (TLS) with SSL state
 SSLv2/v3 read server hello A in HANDSHAKE
 [WARN] Problem bootstrapping. Stuck at 10%: Finishing handshake with
 directory server. (DONE; DONE; count 11; recommendation warn; host
 [REDACTED] at [REDACTED]:80)
 [WARN] 11 connections have failed:
 [WARN]  11 connections died in state handshaking (TLS) with SSL state
 SSLv2/v3 read server hello A in HANDSHAKE
 [NOTICE] Delaying directory fetches: DisableNetwork is set.
 }}}
 == Appendix 2: Generated "torrc" for "Reproduce".
 {{{
 # This file was generated by Tor; if you edit it, comments will not be
 preserved
 # The old torrc file was renamed to torrc.orig.1 or similar, and Tor will
 ignore it
 DataDirectory [REDACTED]
 GeoIPFile [REDACTED]
 GeoIPv6File [REDACTED]
 Socks5Proxy 127.0.0.1:[REDACTED]
 ReachableAddresses *:80,*:443
 ReachableAddresses reject *:*
 ReachableAddresses reject *:*
 }}}
 == Appendix 3: Generated "torrc" for "Workaround".
 {{{
 # This file was generated by Tor; if you edit it, comments will not be
 preserved
 # The old torrc file was renamed to torrc.orig.1 or similar, and Tor will
 ignore it
 Bridge obfs4 [REDACTED]
 Bridge obfs4 [REDACTED]
 Bridge obfs4 [REDACTED]
 Bridge obfs4 [REDACTED]
 Bridge obfs4 [REDACTED]
 [REDACTED ADDITIONAL LINE OF OBFS4 BRIDGES]
 DataDirectory [REDACTED]
 GeoIPFile [REDACTED]
 GeoIPv6File [REDACTED]
 Socks5Proxy 127.0.0.1:[REDACTED]
 UseBridges 1
 }}}
 == Appendix 4: Generated "torrc" for "Further Workaround".
 {{{
 # This file was generated by Tor; if you edit it, comments will not be
 preserved
 # The old torrc file was renamed to torrc.orig.1 or similar, and Tor will
 ignore it
 DataDirectory [REDACTED]
 GeoIPFile [REDACTED]
 GeoIPv6File [REDACTED]
 Socks5Proxy 127.0.0.1:[REDACTED]
 }}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23945>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
    
    
More information about the tbb-bugs
mailing list