[tor-bugs] #33751 [Internal Services/Tor Sysadmin Team]: WKD: Error running auto-key-locate wkd in Windows 10

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Mar 27 15:37:39 UTC 2020 

#33751: WKD: Error running auto-key-locate wkd in Windows 10
-----------------------------------------------------+-----------------
     Reporter:  ggus                                 |      Owner:  tpa
         Type:  defect                               |     Status:  new
     Priority:  High                                 |  Milestone:
    Component:  Internal Services/Tor Sysadmin Team  |    Version:
     Severity:  Normal                               |   Keywords:
Actual Points:                                       |  Parent ID:
       Points:                                       |   Reviewer:
      Sponsor:                                       |
-----------------------------------------------------+-----------------
 I'm reviewing our instructions to verify Tor Browser[1] and it looks like
 looks like our wkd has some issues with Windows. It works fine with macOS
 and Linux.

 I asked in gnupg-users mailing list[2], and Werner Koch suggested that

 "A reason for the failed handhake might be that no common parameters
 could be found.  We would need to look at the server log or run tests
 with that server to see what it expects.  I copy the full TLS log below.
 I have no GNUTLS based build currently available, if that works, it log
 could give also some conclusion.  However, on Windows we always use
 NTBTLS."

 Here's the log:

 {{{
 DBG: ntbtls(2): handshake
 DBG: ntbtls(2): client state: 0 (hello_request)
 DBG: ntbtls(3): flush output
 DBG: ntbtls(2): client state: 1 (client_hello)
 DBG: ntbtls(3): flush output
 DBG: ntbtls(2): write client_hello
 DBG: ntbtls(3): client_hello, max version: [3:3]
 DBG: ntbtls(3): client_hello, current time: 1585298512
 DBG: client_hello, random bytes:
 5e7dbc5008b76aa83d09c4393a4bdbe792ad9fee5198c6d9f88357ad16020156
 DBG: ntbtls(3): client_hello, session id len.: 0
 DBG: client_hello, session id:
 DBG: ntbtls(5): client_hello, add ciphersuite: 49192 TLS-ECDHE-RSA-WITH-
 AES-256-CBC-SHA384
 DBG: ntbtls(5): client_hello, add ciphersuite:   107 TLS-DHE-RSA-WITH-
 AES-256-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite: 49172 TLS-ECDHE-RSA-WITH-
 AES-256-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:    57 TLS-DHE-RSA-WITH-
 AES-256-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite: 49271 TLS-ECDHE-RSA-WITH-
 CAMELLIA-256-CBC-SHA384
 DBG: ntbtls(5): client_hello, add ciphersuite:   196 TLS-DHE-RSA-WITH-
 CAMELLIA-256-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:   136 TLS-DHE-RSA-WITH-
 CAMELLIA-256-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite: 49191 TLS-ECDHE-RSA-WITH-
 AES-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:   103 TLS-DHE-RSA-WITH-
 AES-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite: 49171 TLS-ECDHE-RSA-WITH-
 AES-128-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:    51 TLS-DHE-RSA-WITH-
 AES-128-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite: 49270 TLS-ECDHE-RSA-WITH-
 CAMELLIA-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:   190 TLS-DHE-RSA-WITH-
 CAMELLIA-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:    69 TLS-DHE-RSA-WITH-
 CAMELLIA-128-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite: 49170 TLS-ECDHE-RSA-WITH-
 3DES-EDE-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:    22 TLS-DHE-RSA-WITH-
 3DES-EDE-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite: 49208 TLS-ECDHE-PSK-WITH-
 AES-256-CBC-SHA384
 DBG: ntbtls(5): client_hello, add ciphersuite:   179 TLS-DHE-PSK-WITH-
 AES-256-CBC-SHA384
 DBG: ntbtls(5): client_hello, add ciphersuite: 49206 TLS-ECDHE-PSK-WITH-
 AES-256-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:   145 TLS-DHE-PSK-WITH-
 AES-256-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite: 49307 TLS-ECDHE-PSK-WITH-
 CAMELLIA-256-CBC-SHA384
 DBG: ntbtls(5): client_hello, add ciphersuite: 49303 TLS-DHE-PSK-WITH-
 CAMELLIA-256-CBC-SHA384
 DBG: ntbtls(5): client_hello, add ciphersuite: 49207 TLS-ECDHE-PSK-WITH-
 AES-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:   178 TLS-DHE-PSK-WITH-
 AES-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite: 49205 TLS-ECDHE-PSK-WITH-
 AES-128-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:   144 TLS-DHE-PSK-WITH-
 AES-128-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite: 49302 TLS-DHE-PSK-WITH-
 CAMELLIA-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite: 49306 TLS-ECDHE-PSK-WITH-
 CAMELLIA-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite: 49204 TLS-ECDHE-PSK-WITH-
 3DES-EDE-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:   143 TLS-DHE-PSK-WITH-
 3DES-EDE-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:    61 TLS-RSA-WITH-AES-256
 -CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:    53 TLS-RSA-WITH-AES-256
 -CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:   192 TLS-RSA-WITH-
 CAMELLIA-256-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:   132 TLS-RSA-WITH-
 CAMELLIA-256-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:    60 TLS-RSA-WITH-AES-128
 -CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:    47 TLS-RSA-WITH-AES-128
 -CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:   186 TLS-RSA-WITH-
 CAMELLIA-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:    65 TLS-RSA-WITH-
 CAMELLIA-128-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:    10 TLS-RSA-WITH-3DES-
 EDE-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:   183 TLS-RSA-PSK-WITH-
 AES-256-CBC-SHA384
 DBG: ntbtls(5): client_hello, add ciphersuite:   149 TLS-RSA-PSK-WITH-
 AES-256-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite: 49305 TLS-RSA-PSK-WITH-
 CAMELLIA-256-CBC-SHA384
 DBG: ntbtls(5): client_hello, add ciphersuite:   182 TLS-RSA-PSK-WITH-
 AES-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:   148 TLS-RSA-PSK-WITH-
 AES-128-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite: 49304 TLS-RSA-PSK-WITH-
 CAMELLIA-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:   147 TLS-RSA-PSK-WITH-
 3DES-EDE-CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite:   175 TLS-PSK-WITH-AES-256
 -CBC-SHA384
 DBG: ntbtls(5): client_hello, add ciphersuite:   141 TLS-PSK-WITH-AES-256
 -CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite: 49301 TLS-PSK-WITH-
 CAMELLIA-256-CBC-SHA384
 DBG: ntbtls(5): client_hello, add ciphersuite:   174 TLS-PSK-WITH-AES-128
 -CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:   140 TLS-PSK-WITH-AES-128
 -CBC-SHA
 DBG: ntbtls(5): client_hello, add ciphersuite: 49300 TLS-PSK-WITH-
 CAMELLIA-128-CBC-SHA256
 DBG: ntbtls(5): client_hello, add ciphersuite:   139 TLS-PSK-WITH-3DES-
 EDE-CBC-SHA
 DBG: ntbtls(3): client_hello, got 54 ciphersuites
 DBG: ntbtls(3): client_hello, compress len.: 2
 DBG: ntbtls(3): client_hello, compress alg.: 1 0
 DBG: ntbtls(3): client_hello, adding server name extension:
 'openpgpkey.torproject.org'
 DBG: ntbtls(3): client_hello, adding signature_algorithms extension
 DBG: ntbtls(3): client hello, adding supported_elliptic_curves extension
 DBG: ntbtls(3): client hello, adding supported_point_formats extension
 DBG: ntbtls(3): client_hello, adding session ticket extension
 DBG: ntbtls(3): client_hello, total extension length: 88
 DBG: ntbtls(3): write record
 DBG: ntbtls(3): output record: msgtype = 22, version = [3:3], msglen = 242
 DBG: output record sent to network:
 16030300f2010000ee03035e7dbc5008b76aa83d09c4393a4bdbe792ad9fee51 \
 DBG:
 98c6d9f88357ad1602015600006c00ffc028006bc0140039c07700c40088c027 \
 DBG:
 0067c0130033c07600be0045c0120016c03800b3c0360091c09bc097c03700b2 \
 DBG:
 c0350090c096c09ac034008f003d003500c00084003c002f00ba0041000a00b7 \
 DBG:
 0095c09900b60094c098009300af008dc09500ae008cc094008b020100005800 \
 DBG:
 00001e001c0000196f70656e7067706b65792e746f7270726f6a6563742e6f72 \
 DBG:
 67000d001600140601050104010301020106030503040303030203000a000e00 \
 DBG:
 0c001700180019001a001b001c000b0002010000230000
 DBG: ntbtls(3): flush output
 DBG: ntbtls(3): message length: 247, out_left: 247
 DBG: ntbtls(3): es_write returned: success
 DBG: ntbtls(2): client state: 2 (server_hello)
 DBG: ntbtls(3): flush output
 DBG: ntbtls(2): read server_hello
 DBG: ntbtls(3): read record
 DBG: ntbtls(3): fetch input
 DBG: ntbtls(3): in_left: 0, nb_want: 5
 DBG: ntbtls(3): es_read returned: success
 DBG: ntbtls(3): input record: msgtype = 21, version = [3:3], msglen = 2
 DBG: ntbtls(3): fetch input
 DBG: ntbtls(3): in_left: 5, nb_want: 7
 DBG: ntbtls(3): es_read returned: success
 DBG: input record from network: 15030300020228
 DBG: ntbtls(2): got an alert message, type: [2:40]
 DBG: ntbtls(1): is a fatal alert message (msg 40)
 DBG: ntbtls(1): (handshake failed)
 DBG: ntbtls(1): read_record returned: Fatal alert message received <TLS>
 DBG: ntbtls(2): handshake ready
 TLS handshake failed: Fatal alert message received <TLS>
 error connecting to 'https://openpgpkey.torproject.org/.well-
 known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf?l=torbrowser':
 Fatal alert message received
 DBG: ntbtls(2): release
 command 'WKD_GET' failed: Fatal alert message received <TLS>
 }}}

 [1] gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser at
 torproject.org   https://support.torproject.org/tbb/how-to-verify-
 signature/
 [2] https://lists.gnupg.org/pipermail/gnupg-users/2020-March/063385.html

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33751>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list