Hi,
Seems I could fix Orchid.
The problem is neither Tor nor Orchid, seems the list of OpenJDK's
CipherSuites has been changed (I'm using Debian's OpenJDK 10).
Currently, Orchid contains the code in
src/main/java/com/subgraph/orchid/connections/ConnectionSocketFactory.java
like:
private static final String[] MANDATORY_CIPHERS = {
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",};
Then calls socket.setEnabledCipherSuites(MANDATORY_CIPHERS).
Now I changed this MANDATORY_CIPHERS to the result of
socket.getSupportedCipherSuites() and Orchid works again!
private static final String[] MANDATORY_CIPHERS = {
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
"TLS_DH_anon_WITH_AES_128_GCM_SHA256",
"TLS_DH_anon_WITH_AES_256_CBC_SHA256",
"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA",
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_DH_anon_WITH_DES_CBC_SHA",
"TLS_RSA_WITH_NULL_SHA256",
"TLS_ECDHE_ECDSA_WITH_NULL_SHA",
"TLS_ECDHE_RSA_WITH_NULL_SHA",
"SSL_RSA_WITH_NULL_SHA",
"TLS_ECDH_ECDSA_WITH_NULL_SHA",
"TLS_ECDH_RSA_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"SSL_RSA_WITH_NULL_MD5",
"TLS_KRB5_WITH_DES_CBC_SHA",
"TLS_KRB5_WITH_DES_CBC_MD5",
};
I'm pretty sure I don't need some of (or maybe most of) them, but it
doesn't exactly correspond to the fixed ciphersuite list (torspec
2.1), so need some more investigation.
Best regards,
MH
Post by Masayuki HattaHi,
Some follow-up on fixing Orchid.
AFAIK Orchid connects one of dir auths and sends a (variable length)
VERSIONS cell, which seems to be correct. After a while, the
2018-11-18 14:55:18,919 DEBUG - ConnectionImpl - Closing connection to !bastet!
connectionControlCells.take = Cell: circuit_id=0 command=0 payload_len=3
I think command=0 is weird (padding?), but I don't know what is
supposed to be. Appreciate any hints.
Best regards,
MH
Post by Masayuki HattaHi, thanks for the comment!
Orchid sends "3".
In src/main/java/com/subgraph/orchid/connections/ConnectionHandshakeV3.java,
void runHandshake() throws IOException, InterruptedException,
Connection IOException {
sendVersions(3);
receiveVersions();
recvCerts();
recvAuthChallengeAndNetinfo();
verifyCertificates();
sendNetinfo();
}
Currently, Orchid is stuck inside receiveVersions.
Best regards,
MH
Post by Nick MathewsonPost by Masayuki HattaHi!
As I wrote here some time ago, I fixed Orchid the Java Tor, and it
worked for a while.
https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html
Recently (I think it was around July-Aug), Orchid became unworkable
again. I'm trying to but can't figure out the cause, so I appreciate
your help.
Orchid's repo is here: https://github.com/mhatta/Orchid
As far as I could see, now Orchid hangs because it can't receive
VERSIONS cells so the first handshake with Directory Authorities can't
be finished. Some change at Dir Auths (updating new version of Tor, I
guess) might cause this, but I can't figure out which changes affect
this. Do you have any idea?
Best regards,
What versions does Orchid send in its VERSIONS cell?
--
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
--
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan
http://about.me/mhatta
--
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan
http://about.me/mhatta
--
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan
http://about.me/mhatta
***@gnu.org / ***@debian.org / ***@opensource.jp /
***@surugadai.ac.jp
--
tor-talk mailing list - tor-***@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/ma