[tor-dev] Networks Blocking Tor's SSL Connections

David Fifield david at bamsoftware.com
Wed Oct 7 03:34:16 UTC 2015

On Wed, Oct 07, 2015 at 10:06:00AM +1100, Tim Wilson-Brown - teor wrote:
> Hi All,
> This morning I observed a “free wifi” network blocking tor’s SSL connections.
> While other SSL connections from my machine went through, I observed multiple
> network traces of tor completing a TCP 3-way handshake, and then getting no
> reply to the first SSL packet it sent.
> I think they may have been blocking unknown or untested certificates, but I
> can’t be sure.
> Still, I was able to use meek(-google) to access tor.
> Has anyone else seen this kind of blocking behaviour?
> (Is this the right list?)

I don't know about specific instances in the free wifi scenario, but
some national censorship systems work that way, observing something
about the handshake rather than blacklisting the IP addresses of
directory authorities or relays.

Iran filters Tor by ssl handshake, Sept 2011

GFW probes based on Tor's SSL cipher list (Dec 2011)

Ethiopia blocks Tor based on ServerHello (Jun 2012)

Kazakhstan uses DPI to block Tor (Jun 2012)

UAE uses DPI to block Tor (Jun 2012)

The Philippines are blocking Tor? (Jun 2012)

How is Iran blocking Tor? (Oct 2012)

SSL handshake filtered when MAX_SSL_KEY_LIFETIME_ADVERTISED is 365 days (Mar 2013)

More information about the tor-dev mailing list