<div dir="ltr">I'm still having trouble connecting to my obfsproxy bridge; Any pointers would be appreciated. External scanning indicates that the correct ports are open except for port 443 but it's definitely open on the firewall.<div>
<br></div><div><pre style="color:rgb(0,0,0)">lee@li388-156:~$ nmap -p 22,443,9001,40872,52176 173.255.119.202
Starting Nmap 5.21 ( <a href="http://nmap.org">http://nmap.org</a> ) at 2013-08-21 16:44 EDT
Nmap scan report for <a href="http://202.119.255.173.bc.googleusercontent.com">202.119.255.173.bc.googleusercontent.com</a> (173.255.119.202)
Host is up (0.16s latency).
PORT STATE SERVICE
22/tcp open ssh
443/tcp closed https
9001/tcp open tor-orport
40872/tcp open unknown
52176/tcp open unknown</pre><div><pre style>lee@li388-156:~$ openssl s_client -showcerts -connect <a href="http://173.255.119.202:443">173.255.119.202:443</a>
connect: Connection refused
connect:errno=111</pre></div><div>maybe this? <a href="https://trac.torproject.org/projects/tor/ticket/5104" target="_blank">https://trac.torproject.org/projects/tor/ticket/5104</a><br></div></div><div><br></div><div>Confirming that 443 is accessible:</div>
<div><pre style="color:rgb(0,0,0)"><span style="font-family:arial">lee@tor-bootstrap:~$ sudo python -m SimpleHTTPServer 443</span><br></pre><pre style="color:rgb(0,0,0)"><pre style>Serving HTTP on 0.0.0.0 port 443 ...
106.187.45.156 - - [21/Aug/2013 22:39:16] code 400, message Bad request syntax ('\x16\x03\x01\x00\xdc\x01\x00\x00\xd8\x03\x02R\x15A\x94\xc5\xfc\xc1(\x04O\xe0\xee@\x92d\x17.\xd9N\xa1Q\xb3$_\xa6H\xc6adp\xa11\x00\x00f\xc0\x14\xc0')
106.187.45.156 - - [21/Aug/2013 22:39:16] "��������R�A����(�O��@�d�.�N�Q�$_�H�adp�1f���" 400 -</pre><pre style><pre>lee@li388-156:~$ openssl s_client -showcerts -connect <a href="http://173.255.119.202:443">173.255.119.202:443</a>
CONNECTED(00000003)
140181545842336:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---</pre><div><br></div><pre></pre></pre></pre></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Aug 15, 2013 at 10:14 AM, lee colleton <span dir="ltr"><<a href="mailto:lee@colleton.net" target="_blank">lee@colleton.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">-tor-relay<div>+tor-relays</div><div><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">
On Thu, Aug 15, 2013 at 10:13 AM, lee colleton <span dir="ltr"><<a href="mailto:lee@colleton.net" target="_blank">lee@colleton.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">All of the ports respond on the external IP except for 443 but I can connect via SSL on 9001. I don't understand how <span style="font-family:arial,sans-serif;font-size:13px">ORListenAddress is supposed to work: my bridge times out on 443 but when I comment out the </span><span style="font-family:arial,sans-serif;font-size:13px">ORListenAddress line it doesn't connect via obfsproxy at all.</span><div>
<span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Please advise.</span></div></div><div><div><div class="gmail_extra">
<br><br><div class="gmail_quote">
On Thu, Aug 15, 2013 at 1:47 AM, lee colleton <span dir="ltr"><<a href="mailto:lee@colleton.net" target="_blank">lee@colleton.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">With the ORListenAddress line uncommented, a slightly different failure results:</p>
<p dir="ltr"></p><div>Orbot is starting…<br>
Orbot is starting…<br></div>
got tor proc id: 28490<br>
Tor process id=28490<div><br>
Connecting to control port: 9051<br>
SUCCESS connected to control port<br>
SUCCESS authenticated to control port<br>
Starting Tor client… complete.<br>
adding control port event handler<br>
SUCCESS added control port event handler<br>
Starting privoxy process<br>
/data/data/org.torproject.android/app_bin/privoxy /data/data/org.torproject.android/app_bin/privoxy.config &<br>
NOTICE: Heartbeat: Tor's uptime is 0:00 hours, with 0 circuits open. I've sent 0 kB and received 0 kB. <br>
Privoxy is running on port:8118<br></div>
Privoxy process id=28508<div><br>
Network connectivity is good. Waking Tor up...<br>
Circuit (1) LAUNCHED: <br>
NOTICE: Bootstrapped 5%: Connecting to directory server. <br>
orConnStatus (<a href="http://173.255.119.202:443" target="_blank">173.255.119.202:443</a>): LAUNCHED<br>
NOTICE: Bootstrapped 10%: Finishing handshake with directory server. <br></div><div>
Circuit (1) FAILED: ONEHOP_TUNNEL > IS_INTERNAL > NEED_CAPACITY<br></div><div>
NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good. <br>
NOTICE: Your application (using socks4a to port 80) instructed Tor to take care of the DNS resolution itself if necessary. This is good. <br>
NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good. <br>
NOTICE: Your application (using socks4a to port 80) instructed Tor to take care of the DNS resolution itself if necessary. This is good. <br>
NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good. <br>
NOTICE: Your application (using socks4a to port 80) instructed Tor to take care of the DNS resolution itself if necessary. This is good. <br>
NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good. <br></div>
NOTICE: Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit) <br><div>
NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good. <br>
</div><p></p><div><div>
<div class="gmail_quote">On Aug 15, 2013 1:41 AM, "lee colleton" <<a href="mailto:lee@colleton.net" target="_blank">lee@colleton.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">When I attempt to connect to this bridge, I see a failure in handshaking:</p>
<p dir="ltr">Orbot is starting…<br>
Orbot is starting…<br>
got tor proc id: 27365<br>
Tor process id=27365<br>
Connecting to control port: 9051<br>
SUCCESS connected to control port<br>
SUCCESS authenticated to control port<br>
Starting Tor client… complete.<br>
adding control port event handler<br>
SUCCESS added control port event handler<br>
Starting privoxy process<br>
/data/data/org.torproject.android/app_bin/privoxy /data/data/org.torproject.android/app_bin/privoxy.config &<br>
NOTICE: Heartbeat: Tor's uptime is 0:00 hours, with 0 circuits open. I've sent 0 kB and received 0 kB. <br>
Privoxy is running on port:8118<br>
Privoxy process id=27393<br>
Network connectivity is good. Waking Tor up...<br>
Circuit (1) LAUNCHED: <br>
NOTICE: Bootstrapped 5%: Connecting to directory server. <br>
orConnStatus (<a href="http://173.255.119.202:443" target="_blank">173.255.119.202:443</a>): LAUNCHED<br>
NOTICE: Bootstrapped 10%: Finishing handshake with directory server. <br>
NOTICE: We weren't able to find support for all of the TLS ciphersuites that we wanted to advertise. This won't hurt security, but it might make your Tor (if run as a client) more easy for censors to block. <br>
NOTICE: To correct this, use a more recent OpenSSL, built without disabling any secure ciphers or features. <br>
Circuit (1) FAILED: ONEHOP_TUNNEL > IS_INTERNAL > NEED_CAPACITY<br>
orConnStatus (<a href="http://173.255.119.202:443" target="_blank">173.255.119.202:443</a>): FAILED<br>
WARN: Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 1; recommendation warn) <br>
WARN: 1 connections have failed: <br>
WARN: 1 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE <br>
NOTICE: Your application (using socks4a to port 80) instructed Tor to take care of the DNS resolution itself if necessary. This is good. <br>
NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good. <br>
NOTICE: Your application (using socks4a to port 80) instructed Tor to take care of the DNS resolution itself if necessary. This is good. <br>
</p>
<div class="gmail_quote">On Aug 15, 2013 12:31 AM, "lee colleton" <<a href="mailto:lee@colleton.net" target="_blank">lee@colleton.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">When I comment out the ORListenAddress line things look OK.<div><pre style="white-space:pre-wrap"># Listen on a port other than the one advertised in ORPort (that is,
# advertise 443 but bind to 9001).
#ORListenAddress <a href="http://0.0.0.0:9001/" target="_blank">0.0.0.0:9001</a>
</pre></div><div><pre>Aug 15 06:52:50.000 [notice] Tor 0.2.4.16-rc (git-dcf6b6d7dda9ffbd) opening log file.
Aug 15 06:52:50.000 [notice] We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated support for the NIST P-224 and P-256 groups. Building openssl with such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make ECDH much faster.
Aug 15 06:52:50.000 [notice] Your Tor server's identity key fingerprint is 'gcedemo 08C752E8E86EB5916574A8625030B0EC204EABB8'
Aug 15 06:52:50.000 [notice] Configured hibernation. This interval began at 2013-08-15 00:00:00; the scheduled wake-up time was 2013-08-15 00:00:00; we expect to exhaust our quota for this interval around 2013-08-16 00:00:00; the next interval begins at 2013-08-16 00:00:00 (all times local)
Aug 15 06:52:50.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Aug 15 06:52:50.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Aug 15 06:52:50.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Aug 15 06:52:51.000 [notice] We now have enough directory information to build circuits.
Aug 15 06:52:51.000 [notice] Bootstrapped 80%: Connecting to the Tor network.
Aug 15 06:52:52.000 [notice] Bootstrapped 85%: Finishing handshake with first hop.
Aug 15 06:52:53.000 [notice] Guessed our IP address as 173.255.119.202 (source: 38.229.70.33).
Aug 15 06:52:53.000 [notice] Bootstrapped 90%: Establishing a Tor circuit.
Aug 15 06:52:53.000 [notice] Registered server transport 'obfs3' at '<a href="http://0.0.0.0:40872" target="_blank">0.0.0.0:40872</a>'
Aug 15 06:52:53.000 [notice] Registered server transport 'obfs2' at '<a href="http://0.0.0.0:52176" target="_blank">0.0.0.0:52176</a>'
Aug 15 06:52:55.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Aug 15 06:52:55.000 [notice] Bootstrapped 100%: Done.
Aug 15 06:52:55.000 [notice] Now checking whether ORPort <a href="http://173.255.119.202:443" target="_blank">173.255.119.202:443</a> is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Aug 15 06:53:04.000 [notice] New control connection opened.
Aug 15 07:10:11.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.</pre></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 14, 2013 at 9:53 PM, lee colleton <span dir="ltr"><<a href="mailto:lee@colleton.net" target="_blank">lee@colleton.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Yes, I've opened the ports in the Google Compute Engine (see below). I'll follow up on their forum to make sure I've altered the firewall properly.<div>
<br></div><div>--lee</div><div><br></div><div>
<pre>lee@li388-156:~$ gcutil --service_version="v1beta15" --project="colleton.net:tor-cloud" listfirewalls
+------------------------+---------------------------------------+---------+------------+-------------+-------------+
| name | description | network | source-ips | source-tags | target-tags |
+------------------------+---------------------------------------+---------+------------+-------------+-------------+
| default-allow-internal | Internal traffic from default allowed | default | <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> | | |
| default-ssh | SSH allowed from anywhere | default | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | | |
| tor-obfsproxy | | default | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> | | obfsproxy |
+------------------------+---------------------------------------+---------+------------+-------------+-------------+
lee@li388-156:~$ gcutil --service_version="v1beta15" --project="colleton.net:tor-cloud" getfirewall tor-obfsproxy
+---------------+-------------------------------+
| property | value |
+---------------+-------------------------------+
| name | tor-obfsproxy |
| description | |
| creation-time | 2013-08-07T18:37:35.986-07:00 |
| network | default |
| source-ips | <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> |
| source-tags | |
| target-tags | obfsproxy |
| allowed | tcp: 443, 9001, 40872, 52176 |
+---------------+-------------------------------+
lee@li388-156:~$ </pre></div></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 14, 2013 at 9:19 PM, Roger Dingledine <span dir="ltr"><<a href="mailto:arma@mit.edu" target="_blank">arma@mit.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Wed, Aug 14, 2013 at 09:08:03AM -0700, lee colleton wrote:<br>
> There's a more serious issue in that my server doesn't appear to be<br>
> reachable. I've opened tcp:443,9001 along with the two specifiedobfsproxy<br>
> ports<br>
><br>
> Aug 14 15:26:58.000 [notice] Bootstrapped 100%: Done.<br>
> Aug 14 15:26:58.000 [notice] Now checking whether ORPort<br>
> <a href="http://173.255.119.202:443" target="_blank">173.255.119.202:443</a> is reachable... (this may take up to 20 minutes --<br>
> look for log messages indicating success)<br>
> Aug 14 15:28:00.000 [notice] New control connection opened.<br>
> Aug 14 15:46:56.000 [warn] Your server (<a href="http://173.255.119.202:443" target="_blank">173.255.119.202:443</a>) has not<br>
> managed to confirm that its ORPort is reachable. Please check your<br>
> firewalls, ports, address, /etc/hosts file, etc.<br>
<br>
</div>Well, that's because it's unreachable. (I just tried.)<br>
<br>
Can you try following the suggestion in the log message?<br>
<span><font color="#888888"><br>
--Roger<br>
</font></span><div><div><br>
--<br>
tor-talk mailing list - <a href="mailto:tor-talk@lists.torproject.org" target="_blank">tor-talk@lists.torproject.org</a><br>
To unsusbscribe or change other settings go to<br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk</a><br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</blockquote></div>
</blockquote></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>