[tor-relays] [tor-talk] obfsproxy failure: obfs3
lee colleton
lee at colleton.net
Thu Aug 22 17:55:35 UTC 2013
here's that email again in plain text (previously held for moderation
due to message size)
On Thu, Aug 22, 2013 at 3:13 AM, lee colleton <lee at colleton.net> wrote:
>
> here's both "netstat - tulpen" and "netstat -tulpen"
>
> lee at tor-bootstrap:~$ netstat - tulpen
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 256 tor-bootstrap.c.tor:ssh li388-156.members:39392 ESTABLISHED
> tcp 0 0 tor-bootstrap.c.t:45903 grn-it.gnuradionet:9001 ESTABLISHED
> tcp 0 0 tor-bootstrap.c.t:48994 torproxy02.teamcym:9001 ESTABLISHED
> tcp 0 0 tor-bootstrap.c.t:46128 xray275.server4you:9001 TIME_WAIT
> tcp 0 0 tor-bootstrap.c.t:47652 metadata.google.in:http TIME_WAIT
> tcp 0 0 tor-bootstrap.c.t:47654 metadata.google.in:http ESTABLISHED
> tcp 0 48 tor-bootstrap.c.tor:ssh li388-156.members:34711 ESTABLISHED
> tcp 0 0 tor-bootstrap.c.t:41250 metadata.google.in:http ESTABLISHED
> tcp 0 0 tor-bootstrap.c.t:56064 static.68.158.9.5.:9001 ESTABLISHED
> Active UNIX domain sockets (w/o servers)
> Proto RefCnt Flags Type State I-Node Path
> unix 2 [ ] DGRAM 283 @google-simple-watchdog
> unix 8 [ ] DGRAM 2235 /dev/log
> unix 3 [ ] STREAM CONNECTED 1765015
> unix 3 [ ] STREAM CONNECTED 1765014
> unix 2 [ ] DGRAM 1765013
> unix 3 [ ] STREAM CONNECTED 1735417
> unix 3 [ ] STREAM CONNECTED 1735416
> unix 3 [ ] STREAM CONNECTED 17047 /var/run/tor/control
> unix 3 [ ] STREAM CONNECTED 17046
> unix 2 [ ] DGRAM 17019
> unix 2 [ ] DGRAM 17016
> unix 3 [ ] STREAM CONNECTED 16926
> unix 3 [ ] STREAM CONNECTED 16925
> unix 3 [ ] STREAM CONNECTED 6135
> unix 3 [ ] STREAM CONNECTED 6134
> unix 2 [ ] DGRAM 6133
> unix 2 [ ] DGRAM 2658
> unix 2 [ ] DGRAM 2541
> unix 2 [ ] DGRAM 2479
> unix 3 [ ] DGRAM 553
> unix 3 [ ] DGRAM 552
> lee at tor-bootstrap:~$ netstat -tulpen
> (No info could be read for "-p": geteuid()=1000 but you should be root.)
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
> tcp 0 0 0.0.0.0:40872 0.0.0.0:* LISTEN 103 16963 -
> tcp 0 0 0.0.0.0:9001 0.0.0.0:* LISTEN 0 16931 -
> tcp 0 0 0.0.0.0:52176 0.0.0.0:* LISTEN 103 16970 -
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 2727 -
> tcp6 0 0 :::22 :::* LISTEN 0 2729 -
> udp 0 0 0.0.0.0:68 0.0.0.0:* 0 2108 -
> udp 0 0 0.0.0.0:55889 0.0.0.0:* 0 2086 -
> udp 0 0 10.240.245.45:123 0.0.0.0:* 0 2674 -
> udp 0 0 127.0.0.1:123 0.0.0.0:* 0 2673 -
> udp 0 0 0.0.0.0:123 0.0.0.0:* 0 2666 -
> udp6 0 0 :::123 :::* 0 2667 -
> udp6 0 0 :::55026 :::* 0 2087 -
> lee at tor-bootstrap:~$
>
>
>
> On Thu, Aug 22, 2013 at 3:02 AM, Admin <webmaster at afo-tm.org> wrote:
>>
>> Looks like nothing does listen on port 443 can you post the output of "netstat - tulpen"?
>>
>> Am 22.08.2013 00:42 schrieb "lee colleton" <lee at colleton.net>:
>>>
>>> I'm still having trouble connecting to my obfsproxy bridge; Any pointers would be appreciated. External scanning indicates that the correct ports are open except for port 443 but it's definitely open on the firewall.
>>>
>>> lee at li388-156:~$ nmap -p 22,443,9001,40872,52176 173.255.119.202
>>>
>>> Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-21 16:44 EDT
>>> Nmap scan report for 202.119.255.173.bc.googleusercontent.com (173.255.119.202)
>>> Host is up (0.16s latency).
>>> PORT STATE SERVICE
>>> 22/tcp open ssh
>>> 443/tcp closed https
>>> 9001/tcp open tor-orport
>>> 40872/tcp open unknown
>>> 52176/tcp open unknown
>>>
>>> lee at li388-156:~$ openssl s_client -showcerts -connect 173.255.119.202:443
>>> connect: Connection refused
>>> connect:errno=111
>>>
>>> maybe this? https://trac.torproject.org/projects/tor/ticket/5104
>>>
>>> Confirming that 443 is accessible:
>>>
>>> lee at tor-bootstrap:~$ sudo python -m SimpleHTTPServer 443
>>>
>>> Serving HTTP on 0.0.0.0 port 443 ...
>>> 106.187.45.156 - - [21/Aug/2013 22:39:16] code 400, message Bad request syntax ('\x16\x03\x01\x00\xdc\x01\x00\x00\xd8\x03\x02R\x15A\x94\xc5\xfc\xc1(\x04O\xe0\xee@\x92d\x17.\xd9N\xa1Q\xb3$_\xa6H\xc6adp\xa11\x00\x00f\xc0\x14\xc0')
>>> 106.187.45.156 - - [21/Aug/2013 22:39:16] " � � R A����( O��@�d .�N�Q�$_�H�adp�1f� �" 400 -
>>>
>>> lee at li388-156:~$ openssl s_client -showcerts -connect 173.255.119.202:443
>>> CONNECTED(00000003)
>>> 140181545842336:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
>>> ---
>>> no peer certificate available
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 7 bytes and written 225 bytes
>>> ---
>>> New, (NONE), Cipher is (NONE)
>>> Secure Renegotiation IS NOT supported
>>> Compression: NONE
>>> Expansion: NONE
>>> ---
>>>
>>>
>>>
>>>
>>> On Thu, Aug 15, 2013 at 10:14 AM, lee colleton <lee at colleton.net> wrote:
>>>>
>>>> -tor-relay
>>>> +tor-relays
>>>>
>>>>
>>>> On Thu, Aug 15, 2013 at 10:13 AM, lee colleton <lee at colleton.net> wrote:
>>>>>
>>>>> All of the ports respond on the external IP except for 443 but I can connect via SSL on 9001. I don't understand how ORListenAddress is supposed to work: my bridge times out on 443 but when I comment out the ORListenAddress line it doesn't connect via obfsproxy at all.
>>>>>
>>>>> Please advise.
>>>>>
>>>>>
>>>>> On Thu, Aug 15, 2013 at 1:47 AM, lee colleton <lee at colleton.net> wrote:
>>>>>>
>>>>>> With the ORListenAddress line uncommented, a slightly different failure results:
>>>>>>
>>>>>> Orbot is starting…
>>>>>> Orbot is starting…
>>>>>> got tor proc id: 28490
>>>>>> Tor process id=28490
>>>>>>
>>>>>> Connecting to control port: 9051
>>>>>> SUCCESS connected to control port
>>>>>> SUCCESS authenticated to control port
>>>>>> Starting Tor client… complete.
>>>>>> adding control port event handler
>>>>>> SUCCESS added control port event handler
>>>>>> Starting privoxy process
>>>>>> /data/data/org.torproject.android/app_bin/privoxy /data/data/org.torproject.android/app_bin/privoxy.config &
>>>>>> NOTICE: Heartbeat: Tor's uptime is 0:00 hours, with 0 circuits open. I've sent 0 kB and received 0 kB.
>>>>>> Privoxy is running on port:8118
>>>>>> Privoxy process id=28508
>>>>>>
>>>>>> Network connectivity is good. Waking Tor up...
>>>>>> Circuit (1) LAUNCHED:
>>>>>> NOTICE: Bootstrapped 5%: Connecting to directory server.
>>>>>> orConnStatus (173.255.119.202:443): LAUNCHED
>>>>>> NOTICE: Bootstrapped 10%: Finishing handshake with directory server.
>>>>>> Circuit (1) FAILED: ONEHOP_TUNNEL > IS_INTERNAL > NEED_CAPACITY
>>>>>> NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good.
>>>>>> NOTICE: Your application (using socks4a to port 80) instructed Tor to take care of the DNS resolution itself if necessary. This is good.
>>>>>> NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good.
>>>>>> NOTICE: Your application (using socks4a to port 80) instructed Tor to take care of the DNS resolution itself if necessary. This is good.
>>>>>> NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good.
>>>>>> NOTICE: Your application (using socks4a to port 80) instructed Tor to take care of the DNS resolution itself if necessary. This is good.
>>>>>> NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good.
>>>>>> NOTICE: Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit)
>>>>>> NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good.
>>>>>>
>>>>>> On Aug 15, 2013 1:41 AM, "lee colleton" <lee at colleton.net> wrote:
>>>>>>>
>>>>>>> When I attempt to connect to this bridge, I see a failure in handshaking:
>>>>>>>
>>>>>>> Orbot is starting…
>>>>>>> Orbot is starting…
>>>>>>> got tor proc id: 27365
>>>>>>> Tor process id=27365
>>>>>>> Connecting to control port: 9051
>>>>>>> SUCCESS connected to control port
>>>>>>> SUCCESS authenticated to control port
>>>>>>> Starting Tor client… complete.
>>>>>>> adding control port event handler
>>>>>>> SUCCESS added control port event handler
>>>>>>> Starting privoxy process
>>>>>>> /data/data/org.torproject.android/app_bin/privoxy /data/data/org.torproject.android/app_bin/privoxy.config &
>>>>>>> NOTICE: Heartbeat: Tor's uptime is 0:00 hours, with 0 circuits open. I've sent 0 kB and received 0 kB.
>>>>>>> Privoxy is running on port:8118
>>>>>>> Privoxy process id=27393
>>>>>>> Network connectivity is good. Waking Tor up...
>>>>>>> Circuit (1) LAUNCHED:
>>>>>>> NOTICE: Bootstrapped 5%: Connecting to directory server.
>>>>>>> orConnStatus (173.255.119.202:443): LAUNCHED
>>>>>>> NOTICE: Bootstrapped 10%: Finishing handshake with directory server.
>>>>>>> NOTICE: We weren't able to find support for all of the TLS ciphersuites that we wanted to advertise. This won't hurt security, but it might make your Tor (if run as a client) more easy for censors to block.
>>>>>>> NOTICE: To correct this, use a more recent OpenSSL, built without disabling any secure ciphers or features.
>>>>>>> Circuit (1) FAILED: ONEHOP_TUNNEL > IS_INTERNAL > NEED_CAPACITY
>>>>>>> orConnStatus (173.255.119.202:443): FAILED
>>>>>>> WARN: Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 1; recommendation warn)
>>>>>>> WARN: 1 connections have failed:
>>>>>>> WARN: 1 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE
>>>>>>> NOTICE: Your application (using socks4a to port 80) instructed Tor to take care of the DNS resolution itself if necessary. This is good.
>>>>>>> NOTICE: Your application (using socks4a to port 443) instructed Tor to take care of the DNS resolution itself if necessary. This is good.
>>>>>>> NOTICE: Your application (using socks4a to port 80) instructed Tor to take care of the DNS resolution itself if necessary. This is good.
>>>>>>>
>>>>>>> On Aug 15, 2013 12:31 AM, "lee colleton" <lee at colleton.net> wrote:
>>>>>>>>
>>>>>>>> When I comment out the ORListenAddress line things look OK.
>>>>>>>>
>>>>>>>> # Listen on a port other than the one advertised in ORPort (that is,
>>>>>>>> # advertise 443 but bind to 9001).
>>>>>>>> #ORListenAddress 0.0.0.0:9001
>>>>>>>>
>>>>>>>> Aug 15 06:52:50.000 [notice] Tor 0.2.4.16-rc (git-dcf6b6d7dda9ffbd) opening log file.
>>>>>>>> Aug 15 06:52:50.000 [notice] We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated support for the NIST P-224 and P-256 groups. Building openssl with such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make ECDH much faster.
>>>>>>>> Aug 15 06:52:50.000 [notice] Your Tor server's identity key fingerprint is 'gcedemo 08C752E8E86EB5916574A8625030B0EC204EABB8'
>>>>>>>> Aug 15 06:52:50.000 [notice] Configured hibernation. This interval began at 2013-08-15 00:00:00; the scheduled wake-up time was 2013-08-15 00:00:00; we expect to exhaust our quota for this interval around 2013-08-16 00:00:00; the next interval begins at 2013-08-16 00:00:00 (all times local)
>>>>>>>> Aug 15 06:52:50.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
>>>>>>>> Aug 15 06:52:50.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
>>>>>>>> Aug 15 06:52:50.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
>>>>>>>> Aug 15 06:52:51.000 [notice] We now have enough directory information to build circuits.
>>>>>>>> Aug 15 06:52:51.000 [notice] Bootstrapped 80%: Connecting to the Tor network.
>>>>>>>> Aug 15 06:52:52.000 [notice] Bootstrapped 85%: Finishing handshake with first hop.
>>>>>>>> Aug 15 06:52:53.000 [notice] Guessed our IP address as 173.255.119.202 (source: 38.229.70.33).
>>>>>>>> Aug 15 06:52:53.000 [notice] Bootstrapped 90%: Establishing a Tor circuit.
>>>>>>>> Aug 15 06:52:53.000 [notice] Registered server transport 'obfs3' at '0.0.0.0:40872'
>>>>>>>> Aug 15 06:52:53.000 [notice] Registered server transport 'obfs2' at '0.0.0.0:52176'
>>>>>>>> Aug 15 06:52:55.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
>>>>>>>> Aug 15 06:52:55.000 [notice] Bootstrapped 100%: Done.
>>>>>>>> Aug 15 06:52:55.000 [notice] Now checking whether ORPort 173.255.119.202:443 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
>>>>>>>> Aug 15 06:53:04.000 [notice] New control connection opened.
>>>>>>>> Aug 15 07:10:11.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Aug 14, 2013 at 9:53 PM, lee colleton <lee at colleton.net> wrote:
>>>>>>>>>
>>>>>>>>> Yes, I've opened the ports in the Google Compute Engine (see below). I'll follow up on their forum to make sure I've altered the firewall properly.
>>>>>>>>>
>>>>>>>>> --lee
>>>>>>>>>
>>>>>>>>> lee at li388-156:~$ gcutil --service_version="v1beta15" --project="colleton.net:tor-cloud" listfirewalls
>>>>>>>>> +------------------------+---------------------------------------+---------+------------+-------------+-------------+
>>>>>>>>> | name | description | network | source-ips | source-tags | target-tags |
>>>>>>>>> +------------------------+---------------------------------------+---------+------------+-------------+-------------+
>>>>>>>>> | default-allow-internal | Internal traffic from default allowed | default | 10.0.0.0/8 | | |
>>>>>>>>> | default-ssh | SSH allowed from anywhere | default | 0.0.0.0/0 | | |
>>>>>>>>> | tor-obfsproxy | | default | 0.0.0.0/0 | | obfsproxy |
>>>>>>>>> +------------------------+---------------------------------------+---------+------------+-------------+-------------+
>>>>>>>>> lee at li388-156:~$ gcutil --service_version="v1beta15" --project="colleton.net:tor-cloud" getfirewall tor-obfsproxy
>>>>>>>>> +---------------+-------------------------------+
>>>>>>>>> | property | value |
>>>>>>>>> +---------------+-------------------------------+
>>>>>>>>> | name | tor-obfsproxy |
>>>>>>>>> | description | |
>>>>>>>>> | creation-time | 2013-08-07T18:37:35.986-07:00 |
>>>>>>>>> | network | default |
>>>>>>>>> | source-ips | 0.0.0.0/0 |
>>>>>>>>> | source-tags | |
>>>>>>>>> | target-tags | obfsproxy |
>>>>>>>>> | allowed | tcp: 443, 9001, 40872, 52176 |
>>>>>>>>> +---------------+-------------------------------+
>>>>>>>>> lee at li388-156:~$
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, Aug 14, 2013 at 9:19 PM, Roger Dingledine <arma at mit.edu> wrote:
>>>>>>>>>>
>>>>>>>>>> On Wed, Aug 14, 2013 at 09:08:03AM -0700, lee colleton wrote:
>>>>>>>>>> > There's a more serious issue in that my server doesn't appear to be
>>>>>>>>>> > reachable. I've opened tcp:443,9001 along with the two specifiedobfsproxy
>>>>>>>>>> > ports
>>>>>>>>>> >
>>>>>>>>>> > Aug 14 15:26:58.000 [notice] Bootstrapped 100%: Done.
>>>>>>>>>> > Aug 14 15:26:58.000 [notice] Now checking whether ORPort
>>>>>>>>>> > 173.255.119.202:443 is reachable... (this may take up to 20 minutes --
>>>>>>>>>> > look for log messages indicating success)
>>>>>>>>>> > Aug 14 15:28:00.000 [notice] New control connection opened.
>>>>>>>>>> > Aug 14 15:46:56.000 [warn] Your server (173.255.119.202:443) has not
>>>>>>>>>> > managed to confirm that its ORPort is reachable. Please check your
>>>>>>>>>> > firewalls, ports, address, /etc/hosts file, etc.
>>>>>>>>>>
>>>>>>>>>> Well, that's because it's unreachable. (I just tried.)
>>>>>>>>>>
>>>>>>>>>> Can you try following the suggestion in the log message?
>>>>>>>>>>
>>>>>>>>>> --Roger
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> tor-talk mailing list - tor-talk at lists.torproject.org
>>>>>>>>>> To unsusbscribe or change other settings go to
>>>>>>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>
More information about the tor-relays
mailing list