[tor-bugs] #4744 [Tor Bridge]: GFW probes based on Tor's SSL cipher list
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Mar 13 14:07:37 UTC 2012
#4744: GFW probes based on Tor's SSL cipher list
--------------------------------+-------------------------------------------
Reporter: asn | Owner: nickm
Type: defect | Status: needs_revision
Priority: major | Milestone: Tor: 0.2.3.x-final
Component: Tor Bridge | Version:
Keywords: tls fingerprinting | Parent: #4185
Points: | Actualpoints:
--------------------------------+-------------------------------------------
Comment(by arma):
{{{
--- tortls.c.orig 2011-12-15
+++ tortls.c 2012-03-13
@@ -907,6 +907,24 @@
return 1;
}
+static void
+tor_tls_client_hack_callback(const SSL *ssl, int type, int val)
+{
+ (void) val;
+ if (type == SSL_CB_HANDSHAKE_START &&
+ !ssl->new_session) {
+ SSL *_ssl = (SSL *)ssl;
+ _ssl->new_session = 3; /* XxXXxX Hack. Do not repeat if alone at home
*/
+ return;
+ }
+ if (type == SSL_CB_ACCEPT_LOOP &&
+ ssl->new_session == 3) {
+ SSL *_ssl = (SSL *)ssl;
+ _ssl->new_session = 0; /* XxXXxX Hack. Do not repeat if alone at home
*/
+ return;
+ }
+}
+
/** Invoked when we're accepting a connection on <b>ssl</b>, and the
connection
* changes state. We use this:
* <ul><li>To alter the state of the handshake partway through, so we
@@ -1092,6 +1110,12 @@
}
#endif
+#ifdef V2_HANDSHAKE_CLIENT
+ if (!isServer) {
+ SSL_set_info_callback(result->ssl, tor_tls_client_hack_callback);
+ }
+#endif
+
/* Not expected to get called. */
tls_log_errors(NULL, LOG_WARN, LD_NET, "creating tor_tls_t object");
return result;
@@ -1324,6 +1348,7 @@
#endif
} else {
#ifdef V2_HANDSHAKE_CLIENT
+ SSL_set_info_callback(tls->ssl, NULL);
/* If we got no ID cert, we're a v2 handshake. */
X509 *cert = SSL_get_peer_certificate(tls->ssl);
STACK_OF(X509) *chain = SSL_get_peer_cert_chain(tls->ssl);
}}}
{{{
<wanoskarnet> We could create new SSL_METHOD if used SSLv3 or TLSv1 then
use
self made ssl_put_cipher_by_char(). With SSLv23 it has no sense because
there
are ssl3_put_cipher_by_char() used without chance to change.
> wanoskarnet: fun hack. what does it do?
<wanoskarnet> it prevents auto append of 0x00ff to the cipher list of
client
hello.
> ah ha. because of the ciphers. is that what kz is doing to block tor?
last i
checked it was only china. but i've been busy with performance research
stuff.
<wanoskarnet> And censir can't ban it easly as it now.
<wanoskarnet> I did test yestarday from kz net.
> with cipher change it works, without cipher change it fails?
> and i guess 0x00ff fix is not needed quite yet, but you expect it will
be
the next thing needed?
<wanoskarnet> They detect tor client by unique cipher list. after chnge
tor
cleint can't be detect current rules.
<wanoskarnet> yes no need. but it's very nice target
<wanoskarnet> even if you chane cipers list. it's still unique. no one
modern
browser append it to end.
> why does openssl append it? because openssl has never thought somebody
might
use it to lie about cipher suites?
<wanoskarnet> yes
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4744#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list