[tor-dev] ClientAuthV3 for v3 onions via Tor controller is accepted by ADD_ONION but seems to get ignored

Miguel Jacq mig at mig5.net
Mon May 3 06:38:08 UTC 2021

Hi there,

I'm one of the OnionShare developers and I'm trying to implement the new support for ClientAuthV3 via the controller as per [1] (thanks for adding it!). Since OnionShare depends on Stem, I also began by adding support for passing the ClientAuthV3 argument and V3Auth flag into Stem (I intend on submitting that as a PR once I solve the problem below, but I think the problem isn't Stem specific)

I can send the ClientAuthV3 base32-encoded public key and the V3Auth flag to ADD_ONION, and get a 250 response back.

The problem is that when I then visit the onion address, it doesn't actually require the Client Auth that was set :) 

I am running the nightly Tor on Debian 10 (Buster):

Tor version
Tor is running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, Libzstd 1.3.8 and Glibc 2.28 as libc.
Tor compiled with GCC version 8.3.0

Steps to reproduce:

1) Take these public and private base32-encoded strings (as generated by [2], if you want to generate different ones)


2) Start a simple service on localhost:9735:

echo Hi | nc -l 9735

3) Connect to Tor's control port and add an onion with a private key that will derive the onion address rujvluxdgiibem3odopgkgiiajgtwfbdgkuqfyydhl5qupotpwyxjaid.onion (or put your own if you wish):

user at onionshare:~$ sudo telnet localhost 9051
Trying ::1...
Connected to localhost.
Escape character is '^]'.
authenticate ""
250 OK
ADD_ONION ED25519-V3:MNkxu0oI0CX6Oq1AEroRGSAiqXurEbzBdraDKJB1pkNkl9hNCr+bagdAg7gA4F3M/FrF7BHBdh5zdvkHB7oO4w== ClientAuthV3=FGTORMIDKR7T2PR632HSHLWA4G6HF5TCWSGMHDUU4LWBEFTAVYQQ Flags=V3Auth Port=80,9735
250 OK

4) Visit http://rujvluxdgiibem3odopgkgiiajgtwfbdgkuqfyydhl5qupotpwyxjaid.onion and expect to get the Tor Browser pop-up dialog '[onion service] is requesting that you authenticate.. Enter your private key for this onion service'. etc

Instead: the service loads 'Hi' without any requirement for Client Auth occurring. I never added the private key to Tor Browser in any way.

Is it a bug, or am I doing it wrong somehow?



[1] https://gitlab.torproject.org/tpo/core/tor/-/issues/40084
[2] https://github.com/pastly/python-snippits/blob/master/src/tor/x25519-gen.py
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20210503/b2abbd80/attachment.sig>

More information about the tor-dev mailing list