[tor-bugs] #4744 [Tor Bridge]: GFW probes based on Tor's SSL cipher list

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Mar 13 14:07:37 UTC 2012


#4744: GFW probes based on Tor's SSL cipher list
--------------------------------+-------------------------------------------
 Reporter:  asn                 |          Owner:  nickm             
     Type:  defect              |         Status:  needs_revision    
 Priority:  major               |      Milestone:  Tor: 0.2.3.x-final
Component:  Tor Bridge          |        Version:                    
 Keywords:  tls fingerprinting  |         Parent:  #4185             
   Points:                      |   Actualpoints:                    
--------------------------------+-------------------------------------------

Comment(by arma):

 {{{
 --- tortls.c.orig       2011-12-15
 +++ tortls.c    2012-03-13
 @@ -907,6 +907,24 @@
    return 1;
  }

 +static void
 +tor_tls_client_hack_callback(const SSL *ssl, int type, int val)
 +{
 +  (void) val;
 +  if (type == SSL_CB_HANDSHAKE_START &&
 +      !ssl->new_session) {
 +    SSL *_ssl = (SSL *)ssl;
 +    _ssl->new_session = 3; /* XxXXxX Hack. Do not repeat if alone at home
 */
 +    return;
 +  }
 +  if (type == SSL_CB_ACCEPT_LOOP &&
 +      ssl->new_session == 3) {
 +    SSL *_ssl = (SSL *)ssl;
 +    _ssl->new_session = 0; /* XxXXxX Hack. Do not repeat if alone at home
 */
 +    return;
 +  }
 +}
 +
  /** Invoked when we're accepting a connection on <b>ssl</b>, and the
 connection
   * changes state. We use this:
   * <ul><li>To alter the state of the handshake partway through, so we
 @@ -1092,6 +1110,12 @@
    }
  #endif

 +#ifdef V2_HANDSHAKE_CLIENT
 +  if (!isServer) {
 +    SSL_set_info_callback(result->ssl, tor_tls_client_hack_callback);
 +  }
 +#endif
 +
    /* Not expected to get called. */
    tls_log_errors(NULL, LOG_WARN, LD_NET, "creating tor_tls_t object");
    return result;
 @@ -1324,6 +1348,7 @@
  #endif
      } else {
  #ifdef V2_HANDSHAKE_CLIENT
 +      SSL_set_info_callback(tls->ssl, NULL);
        /* If we got no ID cert, we're a v2 handshake. */
        X509 *cert = SSL_get_peer_certificate(tls->ssl);
        STACK_OF(X509) *chain = SSL_get_peer_cert_chain(tls->ssl);
 }}}

 {{{
 <wanoskarnet> We could create new SSL_METHOD if used SSLv3 or TLSv1 then
 use
 self made ssl_put_cipher_by_char(). With SSLv23 it has no sense because
 there
 are ssl3_put_cipher_by_char() used without chance to change.
 > wanoskarnet: fun hack. what does it do?
 <wanoskarnet> it prevents auto append of 0x00ff to the cipher list of
 client
 hello.
 > ah ha. because of the ciphers. is that what kz is doing to block tor?
 last i
 checked it was only china. but i've been busy with performance research
 stuff.
 <wanoskarnet> And censir can't ban it easly as it now.
 <wanoskarnet> I did test yestarday from kz net.
 > with cipher change it works, without cipher change it fails?
 > and i guess 0x00ff fix is not needed quite yet, but you expect it will
 be
 the next thing needed?
 <wanoskarnet> They detect tor client by unique cipher list. after chnge
 tor
 cleint can't be detect current rules.
 <wanoskarnet> yes no need. but it's very nice target
 <wanoskarnet> even if you chane cipers list. it's still unique. no one
 modern
 browser append it to end.
 > why does openssl append it? because openssl has never thought somebody
 might
 use it to lie about cipher suites?
 <wanoskarnet> yes
 }}}

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4744#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list