[tor-bugs] #4744 [Tor Bridge]: GFW probes based on Tor's SSL cipher list

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Mar 13 16:07:50 UTC 2012 

#4744: GFW probes based on Tor's SSL cipher list
--------------------------------+-------------------------------------------
 Reporter:  asn                 |          Owner:  nickm             
     Type:  defect              |         Status:  needs_revision    
 Priority:  major               |      Milestone:  Tor: 0.2.3.x-final
Component:  Tor Bridge          |        Version:                    
 Keywords:  tls fingerprinting  |         Parent:  #4185             
   Points:                      |   Actualpoints:                    
--------------------------------+-------------------------------------------

Comment(by nickm):

 Wanoskarnet recommends this version instead.

 {{{
 --- tortls.c.orig       2011-12-15
 +++ tortls.c    2012-03-13
 @@ -907,6 +907,24 @@
    return 1;
  }

 +static void
 +tor_tls_client_hack_callback(const SSL *ssl, int type, int val)
 +{
 +  (void) val;
 +  if (type == SSL_CB_HANDSHAKE_START &&
 +      !ssl->new_session) {
 +    SSL *_ssl = (SSL *)ssl;
 +    _ssl->new_session = 3; /* XxXXxX Hack. Do not repeat if alone at home
 */
 +    return;
 +  }
 +  if (type == SSL_CB_CONNECT_LOOP &&
 +      ssl->new_session == 3) {
 +    SSL *_ssl = (SSL *)ssl;
 +    _ssl->new_session = 0; /* XxXXxX Hack. Do not repeat if alone at home
 */
 +    return;
 +  }
 +}
 +
  /** Invoked when we're accepting a connection on <b>ssl</b>, and the
 connection
   * changes state. We use this:
   * <ul><li>To alter the state of the handshake partway through, so we
 @@ -1092,6 +1110,12 @@
    }
  #endif

 +#ifdef V2_HANDSHAKE_CLIENT
 +  if (!isServer) {
 +    SSL_set_info_callback(result->ssl, tor_tls_client_hack_callback);
 +  }
 +#endif
 +
    /* Not expected to get called. */
    tls_log_errors(NULL, LOG_WARN, LD_NET, "creating tor_tls_t object");
    return result;
 @@ -1324,6 +1348,7 @@
  #endif
      } else {
  #ifdef V2_HANDSHAKE_CLIENT
 +      SSL_set_info_callback(tls->ssl, NULL);
        /* If we got no ID cert, we're a v2 handshake. */
        X509 *cert = SSL_get_peer_certificate(tls->ssl);
        STACK_OF(X509) *chain = SSL_get_peer_cert_chain(tls->ssl);
 }}}

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4744#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list