Debugging an ubuntu / apache2 / tor / ssl setup
I was just wondering if there were any debugging tools you could recommend. I'm setting up a tor site on ubuntu, using apache2 to work with ssl. I'm having trouble tracking the errors. I can see my site is there, but not working. Looking at a well known site: torsocks --debug wget --no-check-certificate www.propub3r6espa33w.onion It works. When I do it for my site, I get: 1538477773 DEBUG torsocks[8726]: Socks5 received connect reply - ver: 5, rep: 0x05, atype: 0x01 (in socks5_recv_connect_reply() at socks5.c:525) 1538477773 ERROR torsocks[8726]: Connection refused to Tor SOCKS (in socks5_recv_connect_reply() at socks5.c:549) But when I look for the connection refused on the server, I can't find any reference to it in syslog or in hs.log or hsinfo.log - I've directed the weblogs to syslog. Where should I be looking? I'd like to be able to capture the flow: https -> tor network -> 127.0.0.2 port 443 -> tor -> apache -> *.php To see where, and why, it fails. I'd hoped to find a debug option, or log, that allows me to see the socks5_recv_connect_reply() being sent from my server. Any suggestions?
On Tue, 2 Oct 2018 13:01:17 +0200 Peter Brooks <peter.h.m.brooks@gmail.com> wrote:
When I do it for my site, I get:
1538477773 DEBUG torsocks[8726]: Socks5 received connect reply - ver: 5, rep: 0x05, atype: 0x01 (in socks5_recv_connect_reply() at socks5.c:525) 1538477773 ERROR torsocks[8726]: Connection refused to Tor SOCKS (in socks5_recv_connect_reply() at socks5.c:549)
This looks like a reply by your tor client. Are you using the correct port? Please be more specific which commands you are using. https://gitweb.torproject.org/torsocks.git/tree/src/common/socks5.c#n540 -- traumschule.org gpg fingerprint: 9356 4DED 8546 8D9A C290 3605 12EE 7D70 7111 2056 /otr info OTR: traumschule@irc.indymedia.org fingerprint: OTR: 35AACA83 4564616C B6EBEC66 56B6B2FC C8D572F1 OTR: traumschule@irc.oftc.net fingerprint: OTR: D1CCD207 B60C1866 56A975AE ACE090E9 45E90846 OTR: traumschule@chat.freenode.net fingerprint: OTR: 51BF8BB9 434840CC 24F264BC 76450C27 A6AADB12
Yes, it is the output from ‘torsocks’. I have configured: 127.0.0.2:443 On my host torrc file. With apache2 listening on :443 <VirtualHost *:443> Sent from my iPad
On 2 Oct 2018, at 13:52, Traumschule <traumschuleriebau@riseup.net> wrote:
On Tue, 2 Oct 2018 13:01:17 +0200 Peter Brooks <peter.h.m.brooks@gmail.com> wrote:
When I do it for my site, I get:
1538477773 DEBUG torsocks[8726]: Socks5 received connect reply - ver: 5, rep: 0x05, atype: 0x01 (in socks5_recv_connect_reply() at socks5.c:525) 1538477773 ERROR torsocks[8726]: Connection refused to Tor SOCKS (in socks5_recv_connect_reply() at socks5.c:549)
This looks like a reply by your tor client. Are you using the correct port? Please be more specific which commands you are using.
https://gitweb.torproject.org/torsocks.git/tree/src/common/socks5.c#n540
-- traumschule.org
gpg fingerprint: 9356 4DED 8546 8D9A C290 3605 12EE 7D70 7111 2056
/otr info OTR: traumschule@irc.indymedia.org fingerprint: OTR: 35AACA83 4564616C B6EBEC66 56B6B2FC C8D572F1 OTR: traumschule@irc.oftc.net fingerprint: OTR: D1CCD207 B60C1866 56A975AE ACE090E9 45E90846 OTR: traumschule@chat.freenode.net fingerprint: OTR: 51BF8BB9 434840CC 24F264BC 76450C27 A6AADB12 _______________________________________________ tor-onions mailing list tor-onions@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions
Well, any loopback address will do, and I don’t want to have multiple listeners on 127.0.0.1. Sent from my iPad
On 2 Oct 2018, at 15:11, Andreas Krey <a.krey@gmx.de> wrote:
On Tue, 02 Oct 2018 13:59:21 +0000, Peter brooks wrote: Yes, it is the output from ???torsocks???.
I have configured:
127.0.0.2:443
dot *two*? Not .1?
Andreas
-- "Totally trivial. Famous last words." From: Linus Torvalds <torvalds@*.org> Date: Fri, 22 Jan 2010 07:29:21 -0800 _______________________________________________ tor-onions mailing list tor-onions@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions
On Tue, 02 Oct 2018 16:04:49 +0000, Peter brooks wrote:
Well, any loopback address will do, and I don???t want to have multiple listeners on 127.0.0.1.
I know that that works (but I tend to use it when I need multiple listeners on the same port, for simulating networks on one host). And it was the only obvious potential misconfiguration. Other than that it happens that a client tor instance just can't reach a given hidden service. You might try to access from another computer via tor browser / a tor browser on your computer (which probably brings its own client tor instance). - Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds <torvalds@*.org> Date: Fri, 22 Jan 2010 07:29:21 -0800
Possibly irrelevant aside: much as I love the theory of torsocks (and am in a former life a big fan of LD_PRELOAD) - I latterly have given up on it and swapped entirely to 'curl -x' and variations upon 'nc' to perform onion testing; I just got fed up with version incompatibilities between the libraries and the command line. Torsocks sadly very much feels like a second class citizen product with respect to the rest of the Tor ecosystem. There's examples of what I do instead, in: https://lists.torproject.org/pipermail/tor-onions/2018-September/000311.html -a
Thank you. That is a good idea. Using curl does make the local poxy clear. I’ve also used the tor browser. The problem, though, isn’t with the client. I can reach other tor / SSL sites. I can’t seem to pick up the refusal on the server end. Sent from my iPad
On 2 Oct 2018, at 16:58, Alec Muffett <alec.muffett@gmail.com> wrote:
Possibly irrelevant aside: much as I love the theory of torsocks (and am in a former life a big fan of LD_PRELOAD) - I latterly have given up on it and swapped entirely to 'curl -x' and variations upon 'nc' to perform onion testing; I just got fed up with version incompatibilities between the libraries and the command line. Torsocks sadly very much feels like a second class citizen product with respect to the rest of the Tor ecosystem.
There's examples of what I do instead, in:
https://lists.torproject.org/pipermail/tor-onions/2018-September/000311.html
-a
_______________________________________________ tor-onions mailing list tor-onions@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions
On Tue, 02 Oct 2018 21:18:34 +0000, Peter brooks wrote: ...
I can???t seem to pick up the refusal on the server end.
If you have misconfigured your HiddenServicePorts and 443 isn't actually mapped, tor itself does the rejection, and I don't know if/at what level that is logged. Likewise if you point it *to* the wrong port. I'd start misconfiguring on purpose and see how the logs change. - Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds <torvalds@*.org> Date: Fri, 22 Jan 2010 07:29:21 -0800
That bit seems OK: $ lsof -i :9050 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME tor 7886 debian-tor 6u IPv4 296801 0t0 TCP localhost:9050 (LISTEN) and this seems to work OK too: curl --socks5-hostname localhost:9050 https://zqktlwi4fecvo6ri.onion.to/wiki/index.php/Tor On Tue, 2 Oct 2018 at 23:06, Andreas Krey <a.krey@gmx.de> wrote:
On Tue, 02 Oct 2018 21:18:34 +0000, Peter brooks wrote: ...
I can???t seem to pick up the refusal on the server end.
If you have misconfigured your HiddenServicePorts and 443 isn't actually mapped, tor itself does the rejection, and I don't know if/at what level that is logged. Likewise if you point it *to* the wrong port. I'd start misconfiguring on purpose and see how the logs change.
- Andreas
-- "Totally trivial. Famous last words." From: Linus Torvalds <torvalds@*.org> Date: Fri, 22 Jan 2010 07:29:21 -0800 _______________________________________________ tor-onions mailing list tor-onions@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions
-- Peter Brooks Mobile: +27 82 717 6404 Skype: Fustbariclation Twitter: Fustbariclation Google+: Fustbariclation Author Page: amazon.com/author/peter_brooks
On 10/02/2018 07:01 AM, Peter Brooks wrote:
I'm setting up a tor site on ubuntu, using apache2 to work with ssl.
This might be a goofy question but why would SSL ever be used with a Tor Hidden Service? Also, isn't the Apache web server still vulnerable to application layer slow post denial of service attacks? https://sourceforge.net/projects/torshammer/ https://github.com/llaera/slowloris.pl https://github.com/marant/goloris
Why? Tor encrypts everything in transit, but not between you and the first server, and not between the last server and the target machine. Anybody listening to your output stream, or the stream to and from the remote server, can see everything in plaintext - the URL, and its parameters particularly. With SSL, you know the URL is encrypted between your machine and the remote server, as is the returned page. On Sat, 13 Oct 2018 at 18:56, Adam Jensen <hanzer@riseup.net> wrote:
On 10/02/2018 07:01 AM, Peter Brooks wrote:
I'm setting up a tor site on ubuntu, using apache2 to work with ssl.
This might be a goofy question but why would SSL ever be used with a Tor Hidden Service?
Also, isn't the Apache web server still vulnerable to application layer slow post denial of service attacks?
https://sourceforge.net/projects/torshammer/ https://github.com/llaera/slowloris.pl https://github.com/marant/goloris _______________________________________________ tor-onions mailing list tor-onions@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions
-- Peter Brooks Mobile: +27 82 717 6404 Skype: Fustbariclation Twitter: Fustbariclation Google+: Fustbariclation Author Page: amazon.com/author/peter_brooks
On 10/13/2018 06:08 PM, Peter Brooks wrote:
Tor encrypts everything in transit, but not between you and the first server, and not between the last server and the target machine.
I haven't studied Tor in a serious way but my impression is that in a simple scenario where a client is using the Tor Browser to connect to a Tor Hidden Service, that connection is both private and secret - a third party can not access it or know that it happened. Where this isn't the case (again, just my impression) is when a plain browser is used to access a Tor Hidden Service via something like Tor2web[1], or the Tor Browser is used to access a typical clearnet web service. In both of these cases, there is a clearnet hop in the communication chain. [1]: https://en.wikipedia.org/wiki/Tor2web I guess if the goal is to provide privacy for those who access a Hidden Service via something like Tor2web, then making the SSL capability available probably makes some sense. I didn't really consider that scenario. I guess a self-signed SSL certificate would be necessary and those accessing the HTTPS Hidden Service would need to accept that certificate. Hmm... Does this all seem correct and reasonable?
On Oct 13, 2018, at 09:55, Adam Jensen <hanzer@riseup.net> wrote:
This might be a goofy question but why would SSL ever be used with a Tor Hidden Service?
If your site exists as both a hidden service and on the clear web, then it can be problematic to maintain both TLS and unencrypted access. One problem with hidden services is the potential for copycat sites. Particularly if you have created a vanity .onion address, others can create similar-looking addresses and post them to try to lead people to their site instead of yours. Some folks believe that an EV TLS certificate can mitigate this risk. Facebook, for example, uses an EV certificate for their .onion site. Others question the value of EV certs for most any use cases: https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-... AFAIK, the only folks that issues TLS certificates for .onion addresses is Digicert. They're EV only. --2p
On 10/13/2018 08:18 PM, ronqonions@risley.net wrote:
If your site exists as both a hidden service and on the clear web, then it can be problematic to maintain both TLS and unencrypted access.
One problem with hidden services is the potential for copycat sites. Particularly if you have created a vanity .onion address, others can create similar-looking addresses and post them to try to lead people to their site instead of yours. Some folks believe that an EV TLS certificate can mitigate this risk. Facebook, for example, uses an EV certificate for their .onion site. Others question the value of EV certs for most any use cases:
https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-...
I didn't realize Certificates for .onion domains [1] were possible. Thanks for the news! [1]: https://en.wikipedia.org/wiki/Extended_Validation_Certificate#cite_ref-7 Could the same certificate be used for both the clear web HTTPS URL and the Tor onion address or would it be necessary to maintain two separate certificates? Facebook seems to use two different certificates: https://www.facebook.com/ BD:25:8C:1F:62:A4:A6:D9:CF:7D:98:12:D2:2E:2F:F5:7E:84:FB:36 https://www.facebookcorewwwi.onion/ A8:24:85:A1:5C:10:A7:F5:48:3E:BE:FA:B9:53:B8:8D:6E:0D:EE:F7
AFAIK, the only folks that issues TLS certificates for .onion addresses is Digicert. They're EV only.
It's not really important but my site [2] has a digicert certificate and if it is Extended Validation then they verified my legal identity in a very indirect way :) [2]: https://www.metadatalibrary.org/
On Oct 13, 2018, at 18:00, Adam Jensen <hanzer@riseup.net> wrote:
AFAIK, the only folks that issues TLS certificates for .onion addresses is Digicert. They're EV only.
It's not really important but my site [2] has a digicert certificate and if it is Extended Validation then they verified my legal identity in a very indirect way :)
Sorry, I worded that poorly. I meant that I believe that the only certificates that Digicert issues *for .onion sites* are EV certificates. --2p
participants (8)
-
Adam Jensen -
Alec Muffett -
Andreas Krey -
grarpamp -
Peter Brooks -
Peter brooks
-
ronqonions@risley.net -
Traumschule