[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #24432 [Obfuscation/BridgeDB]: The meek<->moat tunneling isn't set up correctly



#24432: The meek<->moat tunneling isn't set up correctly
----------------------------------+--------------------------
 Reporter:  isis                  |          Owner:  isis
     Type:  defect                |         Status:  new
 Priority:  High                  |      Milestone:
Component:  Obfuscation/BridgeDB  |        Version:
 Severity:  Normal                |     Resolution:
 Keywords:  moat bridgedb-dist    |  Actual Points:
Parent ID:                        |         Points:  2
 Reviewer:                        |        Sponsor:  SponsorM
----------------------------------+--------------------------

Comment (by isis):

 So the meek tunnel is working, but the URL redirections are still not
 quite right…

 David Fifield helped me out by providing this `externalize-pt-client`
 script (now in `bridgedb.git/scripts/externalize-pt-client` in my
 `fix/24432` branch):

 {{{
 #!/bin/bash
 set -e
 CMDLINE="${@:?need a meek-client command line}"
 TRANSPORTS=meek
 # This could be controlled by a command-line arg.
 PORT=10000
 TOR_PT_MANAGED_TRANSPORT_VER=1 \
         TOR_PT_CLIENT_TRANSPORTS="$TRANSPORTS" $CMDLINE \
         | sed -n -u -e '/^CMETHOD /{s/^.*127\.0\.0\.1://;p}' | while read
 pt_port; do
         echo "forwarding port $PORT -> $pt_port"
         socat -v -v TCP-LISTEN:$PORT,fork,reuseaddr TCP-
 CONNECT:127.0.0.1:$pt_port &
 done
 }}}

 Also in that branch, I've modified `scripts/test-moat` to also (in
 addition to a localhost server) test the production server through the
 meek tunnel.  This can be accomplished by running David's script like so:

 {{{
 (bdb)∃!isisⒶwintermute:(develop *$>)~/code/torproject/bridgedb ∴ ./scripts
 /externalize-pt-client ~/code/go/src/git.torproject.org/pluggable-
 transports/meek/meek-client/meek-client -url https://tor-bridges-hyphae-
 channel.appspot.com/ -front www.google.com
 }}}

 Then, in another terminal, do:

 {{{
 (bdb)∃!isisⒶwintermute:(fix/24432 $)~/code/torproject/bridgedb ∴
 TEST_PRODUCTION_MOAT=1 ./scripts/test-moat fetch
 }}}

 For me, the bridges.torproject.org server responds with:

 {{{
 {"errors": [{"status": "Not Implemented", "code": 501, "detail": "moat
 version 0.1.0 does not implement POST /moat/fetch", "version": "0.1.0",
 "type": "", "id": 0}]}
 }}}

 Which means:

 1) the meek tunnel through https://tor-bridges-hyphae-channel.appspot.com
 works
 2) the TLS tunneling through the Apache instance on
 bridges.torproject.org:443 works
 3) the meek-server running on polyanthum (the bridges.torproject.org host)
 is correctly stripping the meek layer of TLS
 4) the Apache instance is correctly redirecting to the Twisted Python
 server
 5) the Twisted servers are responding
 6) the moat server specifically is responding, but it isn't giving the
 correct response, since it seems to think there's no such resource

 One thing is that, watching the logs while doing this, the Twisted server
 isn't registering that a request was even made, i.e. there's no logs of
 the request hitting the server (even though its responding with JSON API,
 which is a little weird). So the next step would probably be, in the usual
 Twisted fashion, to just add ridiculous amounts of log statements
 everywhere to figure out why it thinks there's no such resource.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24432#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs