Discussion:
[tor-talk] Fixing Orchid (again), need help!
Masayuki Hatta
2018-11-08 11:10:56 UTC
Permalink
Hi!

As I wrote here some time ago, I fixed Orchid the Java Tor, and it
worked for a while.

https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html

Recently (I think it was around July-Aug), Orchid became unworkable
again. I'm trying to but can't figure out the cause, so I appreciate
your help.

Orchid's repo is here: https://github.com/mhatta/Orchid

As far as I could see, now Orchid hangs because it can't receive
VERSIONS cells so the first handshake with Directory Authorities can't
be finished. Some change at Dir Auths (updating new version of Tor, I
guess) might cause this, but I can't figure out which changes affect
this. Do you have any idea?

Best regards,
MH

--
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan

http://about.me/mhatta

***@gnu.org / ***@debian.org / ***@opensource.jp /
***@surugadai.ac.jp
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-tal
Nick Mathewson
2018-11-08 15:14:14 UTC
Permalink
Post by Masayuki Hatta
Hi!
As I wrote here some time ago, I fixed Orchid the Java Tor, and it
worked for a while.
https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html
Recently (I think it was around July-Aug), Orchid became unworkable
again. I'm trying to but can't figure out the cause, so I appreciate
your help.
Orchid's repo is here: https://github.com/mhatta/Orchid
As far as I could see, now Orchid hangs because it can't receive
VERSIONS cells so the first handshake with Directory Authorities can't
be finished. Some change at Dir Auths (updating new version of Tor, I
guess) might cause this, but I can't figure out which changes affect
this. Do you have any idea?
Best regards,
What versions does Orchid send in its VERSIONS cell?
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lis
Masayuki Hatta
2018-11-09 09:16:50 UTC
Permalink
Hi, thanks for the comment!

Orchid sends "3".

In src/main/java/com/subgraph/orchid/connections/ConnectionHandshakeV3.java,

void runHandshake() throws IOException, InterruptedException,
Connection IOException {
sendVersions(3);
receiveVersions();
recvCerts();
recvAuthChallengeAndNetinfo();
verifyCertificates();
sendNetinfo();
}

Currently, Orchid is stuck inside receiveVersions.

Best regards,
MH
Post by Nick Mathewson
Post by Masayuki Hatta
Hi!
As I wrote here some time ago, I fixed Orchid the Java Tor, and it
worked for a while.
https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html
Recently (I think it was around July-Aug), Orchid became unworkable
again. I'm trying to but can't figure out the cause, so I appreciate
your help.
Orchid's repo is here: https://github.com/mhatta/Orchid
As far as I could see, now Orchid hangs because it can't receive
VERSIONS cells so the first handshake with Directory Authorities can't
be finished. Some change at Dir Auths (updating new version of Tor, I
guess) might cause this, but I can't figure out which changes affect
this. Do you have any idea?
Best regards,
What versions does Orchid send in its VERSIONS cell?
--
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan

http://about.me/mhatta

***@gnu.org / ***@debian.org / ***@opensource.jp /
***@surugadai.ac.jp
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torpro
Masayuki Hatta
2018-11-18 14:12:27 UTC
Permalink
Hi,

Some follow-up on fixing Orchid.

AFAIK Orchid connects one of dir auths and sends a (variable length)
VERSIONS cell, which seems to be correct. After a while, the
connection to the dir auth is closed and gets:

2018-11-18 14:55:18,919 DEBUG - ConnectionImpl - Closing connection to !bastet!
connectionControlCells.take = Cell: circuit_id=0 command=0 payload_len=3

I think command=0 is weird (padding?), but I don't know what is
supposed to be. Appreciate any hints.

Best regards,
MH
Post by Masayuki Hatta
Hi, thanks for the comment!
Orchid sends "3".
In src/main/java/com/subgraph/orchid/connections/ConnectionHandshakeV3.java,
void runHandshake() throws IOException, InterruptedException,
Connection IOException {
sendVersions(3);
receiveVersions();
recvCerts();
recvAuthChallengeAndNetinfo();
verifyCertificates();
sendNetinfo();
}
Currently, Orchid is stuck inside receiveVersions.
Best regards,
MH
Post by Nick Mathewson
Post by Masayuki Hatta
Hi!
As I wrote here some time ago, I fixed Orchid the Java Tor, and it
worked for a while.
https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html
Recently (I think it was around July-Aug), Orchid became unworkable
again. I'm trying to but can't figure out the cause, so I appreciate
your help.
Orchid's repo is here: https://github.com/mhatta/Orchid
As far as I could see, now Orchid hangs because it can't receive
VERSIONS cells so the first handshake with Directory Authorities can't
be finished. Some change at Dir Auths (updating new version of Tor, I
guess) might cause this, but I can't figure out which changes affect
this. Do you have any idea?
Best regards,
What versions does Orchid send in its VERSIONS cell?
--
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan
http://about.me/mhatta
--
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan

http://about.me/mhatta

***@gnu.org / ***@debian.org / ***@opensource.jp /
***@surugadai.ac.jp
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/m
Masayuki Hatta
2018-11-19 20:35:18 UTC
Permalink
Hi,

Seems I could fix Orchid.

The problem is neither Tor nor Orchid, seems the list of OpenJDK's
CipherSuites has been changed (I'm using Debian's OpenJDK 10).

Currently, Orchid contains the code in
src/main/java/com/subgraph/orchid/connections/ConnectionSocketFactory.java
like:

private static final String[] MANDATORY_CIPHERS = {
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",};

Then calls socket.setEnabledCipherSuites(MANDATORY_CIPHERS).

Now I changed this MANDATORY_CIPHERS to the result of
socket.getSupportedCipherSuites() and Orchid works again!

private static final String[] MANDATORY_CIPHERS = {
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
"TLS_DH_anon_WITH_AES_128_GCM_SHA256",
"TLS_DH_anon_WITH_AES_256_CBC_SHA256",
"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA",
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_DH_anon_WITH_DES_CBC_SHA",
"TLS_RSA_WITH_NULL_SHA256",
"TLS_ECDHE_ECDSA_WITH_NULL_SHA",
"TLS_ECDHE_RSA_WITH_NULL_SHA",
"SSL_RSA_WITH_NULL_SHA",
"TLS_ECDH_ECDSA_WITH_NULL_SHA",
"TLS_ECDH_RSA_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"SSL_RSA_WITH_NULL_MD5",
"TLS_KRB5_WITH_DES_CBC_SHA",
"TLS_KRB5_WITH_DES_CBC_MD5",
};

I'm pretty sure I don't need some of (or maybe most of) them, but it
doesn't exactly correspond to the fixed ciphersuite list (torspec
2.1), so need some more investigation.

Best regards,
MH
Post by Masayuki Hatta
Hi,
Some follow-up on fixing Orchid.
AFAIK Orchid connects one of dir auths and sends a (variable length)
VERSIONS cell, which seems to be correct. After a while, the
2018-11-18 14:55:18,919 DEBUG - ConnectionImpl - Closing connection to !bastet!
connectionControlCells.take = Cell: circuit_id=0 command=0 payload_len=3
I think command=0 is weird (padding?), but I don't know what is
supposed to be. Appreciate any hints.
Best regards,
MH
Post by Masayuki Hatta
Hi, thanks for the comment!
Orchid sends "3".
In src/main/java/com/subgraph/orchid/connections/ConnectionHandshakeV3.java,
void runHandshake() throws IOException, InterruptedException,
Connection IOException {
sendVersions(3);
receiveVersions();
recvCerts();
recvAuthChallengeAndNetinfo();
verifyCertificates();
sendNetinfo();
}
Currently, Orchid is stuck inside receiveVersions.
Best regards,
MH
Post by Nick Mathewson
Post by Masayuki Hatta
Hi!
As I wrote here some time ago, I fixed Orchid the Java Tor, and it
worked for a while.
https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html
Recently (I think it was around July-Aug), Orchid became unworkable
again. I'm trying to but can't figure out the cause, so I appreciate
your help.
Orchid's repo is here: https://github.com/mhatta/Orchid
As far as I could see, now Orchid hangs because it can't receive
VERSIONS cells so the first handshake with Directory Authorities can't
be finished. Some change at Dir Auths (updating new version of Tor, I
guess) might cause this, but I can't figure out which changes affect
this. Do you have any idea?
Best regards,
What versions does Orchid send in its VERSIONS cell?
--
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan
http://about.me/mhatta
--
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan
http://about.me/mhatta
--
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan

http://about.me/mhatta

***@gnu.org / ***@debian.org / ***@opensource.jp /
***@surugadai.ac.jp
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/ma
grarpamp
2018-11-20 03:03:38 UTC
Permalink
You could likely remove the ones not mentioned
in torspec or the tor code, most of which are deprecated,
and potentially add compatibility for these tls 1.3 suites
from openssl 1.1.1 in case tor goes adds them later,
so long as current tor does not reject hello's with them...

TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/to
Loading...