[tor-bugs] #24432 [Obfuscation/BridgeDB]: The meek<->moat tunneling isn't set up correctly
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Nov 28 02:24:44 UTC 2017
#24432: The meek<->moat tunneling isn't set up correctly
----------------------------------+--------------------------
Reporter: isis | Owner: isis
Type: defect | Status: new
Priority: High | Milestone:
Component: Obfuscation/BridgeDB | Version:
Severity: Normal | Resolution:
Keywords: moat bridgedb-dist | Actual Points:
Parent ID: | Points: 2
Reviewer: | Sponsor: SponsorM
----------------------------------+--------------------------
Comment (by isis):
So the meek tunnel is working, but the URL redirections are still not
quite right…
David Fifield helped me out by providing this `externalize-pt-client`
script (now in `bridgedb.git/scripts/externalize-pt-client` in my
`fix/24432` branch):
{{{
#!/bin/bash
set -e
CMDLINE="${@:?need a meek-client command line}"
TRANSPORTS=meek
# This could be controlled by a command-line arg.
PORT=10000
TOR_PT_MANAGED_TRANSPORT_VER=1 \
TOR_PT_CLIENT_TRANSPORTS="$TRANSPORTS" $CMDLINE \
| sed -n -u -e '/^CMETHOD /{s/^.*127\.0\.0\.1://;p}' | while read
pt_port; do
echo "forwarding port $PORT -> $pt_port"
socat -v -v TCP-LISTEN:$PORT,fork,reuseaddr TCP-
CONNECT:127.0.0.1:$pt_port &
done
}}}
Also in that branch, I've modified `scripts/test-moat` to also (in
addition to a localhost server) test the production server through the
meek tunnel. This can be accomplished by running David's script like so:
{{{
(bdb)∃!isisⒶwintermute:(develop *$>)~/code/torproject/bridgedb ∴ ./scripts
/externalize-pt-client ~/code/go/src/git.torproject.org/pluggable-
transports/meek/meek-client/meek-client -url https://tor-bridges-hyphae-
channel.appspot.com/ -front www.google.com
}}}
Then, in another terminal, do:
{{{
(bdb)∃!isisⒶwintermute:(fix/24432 $)~/code/torproject/bridgedb ∴
TEST_PRODUCTION_MOAT=1 ./scripts/test-moat fetch
}}}
For me, the bridges.torproject.org server responds with:
{{{
{"errors": [{"status": "Not Implemented", "code": 501, "detail": "moat
version 0.1.0 does not implement POST /moat/fetch", "version": "0.1.0",
"type": "", "id": 0}]}
}}}
Which means:
1) the meek tunnel through https://tor-bridges-hyphae-channel.appspot.com
works
2) the TLS tunneling through the Apache instance on
bridges.torproject.org:443 works
3) the meek-server running on polyanthum (the bridges.torproject.org host)
is correctly stripping the meek layer of TLS
4) the Apache instance is correctly redirecting to the Twisted Python
server
5) the Twisted servers are responding
6) the moat server specifically is responding, but it isn't giving the
correct response, since it seems to think there's no such resource
One thing is that, watching the logs while doing this, the Twisted server
isn't registering that a request was even made, i.e. there's no logs of
the request hitting the server (even though its responding with JSON API,
which is a little weird). So the next step would probably be, in the usual
Twisted fashion, to just add ridiculous amounts of log statements
everywhere to figure out why it thinks there's no such resource.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24432#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list