[tbb-dev] Problem solved! [Was: Request for help: debugging Moat in Tails]

anonym anonym at riseup.net
Fri May 22 16:29:47 UTC 2020


David Fifield:
> For some basic debugging, you should check that these commands work to
> talk to the endpoint of the meek tunnel:
> 	$ curl https://onion.azureedge.net/
> 	I’m just a happy little web server.
> 	$ curl -H 'Host: onion.azureedge.net' https://ajax.aspnetcdn.com/
> 	I’m just a happy little web server.

Looking into this made me eventually realize that there was no DNS resolution possible in the context Tor Launcher is running from inside Tails: it was using little-t-tor (via DNSPort) as resolver, but at the time we're not connected to the Tor network, *and* we even have DisableNetwork set, so that is a no go and we find ourselves in a catch-22 situation. I fixed it by making Tor Launcher use the resolver obtained through DHCP instead. Now I have a basic PoC for Moat in Tails! \o/

Thank you so much for kicking me in the right direction!

> If those work, you can try communicating with Moat through the tunnel.
> You will need to run obfs4proxy and pass it specially formatted SOCKS
> credentials that encode the url= and front= parameters. You will have to
> change the XXXXX port number to match what obfs4proxy outputs in the
> CMETHOD line.
> 	$ TOR_PT_MANAGED_TRANSPORT_VER=1 TOR_PT_STATE_LOCATION=pt_state TOR_PT_CLIENT_TRANSPORTS=meek_lite /usr/local/lib/obfs4proxy/obfs4proxy
> 	CMETHOD meek_lite socks5
> 	$ curl --proxy socks5://url%3Dhttps%3A%2F%2Fonion.azureedge.net:%2F at https://bridges.torproject.org/moat/
> 	{"errors": [{"id": "0", "type": "", "version": "0.1.0", "code": 501, "status": "Not Implemented", "detail": "moat version 0.1.0 does not implement GET /moat/"}]}
> 	$ curl --proxy socks5://url%3Dhttps%3A%2F%2Fonion.azureedge.net%2F%3Bfront=ajax.aspnetcdn.co:m at https://bridges.torproject.org/moat/
> 	{"errors": [{"id": "0", "type": "", "version": "0.1.0", "code": 501, "status": "Not Implemented", "detail": "moat version 0.1.0 does not implement GET /moat/"}]}

The errors are really opaque when DNS isn't available! In the Tor Launcher case I got the not-so-informative "NS_ERROR_NET_INTERRUPT" I mentioned in my initial post, and for the above curl commands the failure is:

    (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to bridges.torproject.org

Neither of these got me thinking about DNS resolution. It wasn't until I fired up a packet sniffer that I saw that DNS resolution failed for ajax.aspnetcdn.com. :)

So, case closed!


More information about the tbb-dev mailing list