[tor-bugs] #18654 [Obfuscation/Snowflake]: Use TLS WebSockets (wss://) for proxy-to-server communication

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jan 21 03:52:57 UTC 2017


#18654: Use TLS WebSockets (wss://) for proxy-to-server communication
-----------------------------------+------------------------------
 Reporter:  dcf                    |          Owner:
     Type:  enhancement            |         Status:  needs_review
 Priority:  High                   |      Milestone:
Component:  Obfuscation/Snowflake  |        Version:
 Severity:  Normal                 |     Resolution:
 Keywords:  snowflake, cupcake     |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:
-----------------------------------+------------------------------
Changes (by dcf):

 * status:  new => needs_review


Comment:

 I have some code for automatic TLS on the websocket server. I just asked
 for a personal repo to host it in #21276, but in the meantime here's a
 patch:
   attachment:snowflake-letsencrypt.0.patch​

 It's using the [https://godoc.org/golang.org/x/crypto/acme/autocert
 acme/autocert] package. This integrates with the
 [https://golang.org/pkg/crypto/tls/#Config Config.GetCertificate] callback
 to fetch a new certificate on demand. The basic idea comes from a patch
 gtank made for meek-server in comment:8:ticket:18655. Basically, now,
 instead of using `--tls-cert` and `--tls-key` options, you use `--acme-
 hostnames` specifying the hostnames that can appear on the certificate.
 One surprise is that if you are not already listening on port 443, the
 program will open an ''additional'' listener on 443, because that's the
 only port the ACME spec allows.

 I have the code as of 138d2b5391 running at
 wss://snowflake.bamsoftware.com:443. It is a dedicated machine I just set
 up for the purpose. I made the necessary changes to the proxy code to use
 this wss bridge. We can add additional hostnames, too, to avoid relying
 solely on bamsoftware.com DNS: you just have to make a new DNS name (e.g.
 snowflake.keroserene.net), point it at the same server, and then add an
 additional `--acme-hostname` option to the `ServerTransportPlugin` command
 in torrc.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18654#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list