[tor-bugs] #24432 [Obfuscation/BridgeDB]: The meek<->moat tunneling isn't set up correctly

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Feb 13 01:18:14 UTC 2018 

#24432: The meek<->moat tunneling isn't set up correctly
----------------------------------+--------------------------
 Reporter:  isis                  |          Owner:  isis
     Type:  defect                |         Status:  reopened
 Priority:  High                  |      Milestone:
Component:  Obfuscation/BridgeDB  |        Version:
 Severity:  Normal                |     Resolution:
 Keywords:  moat bridgedb-dist    |  Actual Points:
Parent ID:  #24689                |         Points:  2
 Reviewer:                        |        Sponsor:  SponsorM
----------------------------------+--------------------------

Comment (by isis):

 Okay, I think I've found at least one issue, but it appears to be some bad
 interaction between TLS configs between the meek-server, Apache, and the
 moat server:

 If I run:

 {{{
 cd scripts
 TEST_PRODUCTION_MOAT=1 ./test-moat fetch > /tmp/moat-fetch
 ./moat-fetch-and-format-captcha-response.py
 }}}

 where the last script is just something I whipped together for testing
 ([XXX attached]), I get:

 {{{
 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <html><head>
 <title>400 Bad Request</title>
 </head><body>
 <h1>Bad Request</h1>
 <p>Your browser sent a request that this server could not understand.<br
 />
 Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
  Instead use the HTTPS scheme to access this URL, please.<br />
 </p>
 <hr>
 <address>Apache Server at bridges.torproject.org Port 443</address>
 </body></html>
 {"errors": [{"status": "Unsupported Media Type", "code": 415, "detail":
 "", "version": "0.1.0", "type": "", "id": 0}]}
 }}}

 The full log is [XXX attached as a `script` typescript file] (read it with
 `less -r typescript` and beware that it is a raw terminal log including
 escape characters).

 I have no idea why:

  1. Both the Apache server *and* the moat server could answer in the same
 response. (I don't know much about Apache.)
  2. The Apache server is complaining about TLS. (I don't know much about
 meek.)
  3. The moat server is erroring with `415 Unsupported Media Type`, since
 that would only happen if it got the HTTP header `Content-Type:
 application/vnd.api+json` but with a media type parameter specified, e.g.
 `Content-Type: application/vnd.api+json;jpeg`. (It sounds like either
 Apache, the meek reflector, or meek-server is altering the headers?)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24432#comment:25>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list