[tor-bugs] #4744 [Tor Bridge]: GFW probes based on Tor's SSL cipher list (?)
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Mon Dec 19 14:22:03 UTC 2011
#4744: GFW probes based on Tor's SSL cipher list (?)
------------------------+---------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: blocker | Milestone:
Component: Tor Bridge | Version:
Keywords: | Parent: #4185
Points: | Actualpoints:
------------------------+---------------------------------------------------
Tim's tests show that GFW is probing v2/v3 bridges based on the Tor cipher
list. Tor is using 28 static ciphers (`src/common/ciphers.inc`) for the
SSL ClientHello of the v2/v3 link handshakes, and GFW seems to get
agitated by them.
The question mark in the ticket title reflects the fact that this is not
100% verified, even though Tim dodged probing by simply removing two
ciphersuites from `ciphers.inc` [0], when the same ClientHello, but with
full ciphers.inc, was always getting probed (IIRC).
Tim said he is gonna look into this soon-ish, so that the question mark
can be removed from the title.
In any case, this ticket is to find a good tactic to remove this static
fingerprint from Tor's SSL handshake. My patch in [0] might do it, but it
doesn't seem very future-proof.
We should probably see what Firefox does, and hope that it doesn't
interfere with v2 signalling.
[0]:
{{{
diff --git a/src/common/ciphers.inc b/src/common/ciphers.inc
index c84620d..99ec494 100644
--- a/src/common/ciphers.inc
+++ b/src/common/ciphers.inc
@@ -111,16 +111,6 @@
#else
XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
#endif
-#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
- CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
-#else
- XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
-#endif
-#ifdef SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA
- CIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
-#else
- XCIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
-#endif
#ifdef TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA
CIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
#else
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4744>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list