Tor and an HTTPS server sharing port 443 (was: Re: xxx-draft-spec-for-TLS-normalization.txt)

Bjarni Rúnar Einarsson bre at
Wed Feb 2 22:26:39 UTC 2011

2011/2/2 Bjarni Rúnar Einarsson <bre at>

> 2011/2/2 Jacob Appelbaum <jacob at>
>> Hi Bjarni!
>> Is there any reason that you can't route SSL/TLS traffic to Tor for all
>> non-SNI requests? Another thing that might work is knowing that all Tor
>> certificates currently end in .net. So while they're random, it's
>> certainly possible to know when someone explicitly wants to reach a
>> different server you certainly know about and isn't in your allowed
>> lookup table. Anything else can be routed to Tor.
> This would work, but the "default fallback" is somewhat of a coveted
> position as there are lots of web browsers out there that don't send SNI. So
> in a shared environment you want to define your "favorite" web-site as the
> default fall-back, not Tor.
> I suppose I could add a feature to Pagekite where the default is different
> for requests with SNI from requests without... best add that to the list, I
> guess. :-)

OK, I think I've got the required support in for this - it only
took 3 lines of tweaks, unless I'm overlooking something. :-)

I haven't got an entry node up and running to test this myself, and am
getting on a plane to FOSDEM in the morning so I have to go pack now... but
it works for normal HTTPS. If anyone wants to help out and test this on a
real entry node, that would save me the hassle, otherwise I'll get around to
it myself after the conference and report back.

The code is here:
Run it like this:

sudo --clean \
   --isfrontend \
   --ports=443 \
   --protos=https \
   --runas=nobody:nogroup \ \ \

This should proxy browsers requestiong and old browsers without SNI
to localhost:1443, but any other SNI bearing request will get proxied to
port 1337, which is where one would put Tor in this configuration.

Yeah, I'm asking you to run a gigantic python program as root... sorry about
that! Only way I know to get port 443... :-)

Bjarni R. Einarsson
The Beanstalks Project ehf.

Making personal web-pages fly:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the tor-dev mailing list