[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Cannot finish handshake with directory server (Kazakhstan)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Cannot finish handshake with directory server (Kazakhstan)
From: Andrew Lewman <andrew@xxxxxxxxxxxxxx>
Date: Wed, 29 Feb 2012 14:49:48 -0500
Authentication-results: lewman.is;
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 29 Feb 2012 14:50:05 -0500
In-reply-to: <20120228053036.GA2889@xxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Organization: The Tor Project, Inc.
References: <CADMkSkfqHSzqV+bMf9=tvAAEXV3hMAAYAjVdcjG7ZFJr11MbLw@xxxxxxxxxxxxxx> <20120228053036.GA2889@xxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

On Tue, 28 Feb 2012 00:30:36 -0500
andrew@xxxxxxxxxxxxxx wrote:
> Indeed, see
> https://blog.torproject.org/blog/kazakhstan-upgrades-censorship-deep-packet-inspection
> 
> You need the obfsproxy bundle,
> https://www.torproject.org/projects/obfsproxy.html.en.

Here's slightly more data on .kz. A volunteer and I coordinated testing
and now we have both sides of the conversation. I don't think this
changes anything. It still seems the blocking is done at the client key
exchange. An alternative is that the server hello triggers the blocking
and the blocking is just really slow.

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475

|Time     | tor client in .kz |
|         |                   | tor bridge in .is |                   
|11875.330|         8281 > https [SYN]            |TCP: 8281 > https [SYN] Seq=0 Win=8192 Len=0 MSS=1380 SACK_PERM=1
|         |(8281)   ------------------>  (443)    |
|11875.330|         https > 8281 [SYN,            |TCP: https > 8281 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
|         |(8281)   <------------------  (443)    |
|11875.503|         8281 > https [ACK]            |TCP: 8281 > https [ACK] Seq=1 Ack=1 Win=64860 Len=0
|         |(8281)   ------------------>  (443)    |
|11875.506|         Client Hello                  |TLSv1: Client Hello
|         |(8281)   ------------------>  (443)    |
|11875.507|         https > 8281 [ACK]            |TCP: https > 8281 [ACK] Seq=1 Ack=202 Win=6432 Len=0
|         |(8281)   <------------------  (443)    |
|11875.510|         Server Hello, Certi           |TLSv1: Server Hello, Certificate, Server Key Exchange, Server Hello Done
|         |(8281)   <------------------  (443)    |
|11878.507|         [TCP Retransmission           |TLSv1: [TCP Retransmission] Server Hello, Certificate, Server Key Exchange, Server Hello Done
|         |(8281)   <------------------  (443)    |
|11884.507|         [TCP Retransmission           |TLSv1: [TCP Retransmission] Server Hello, Certificate, Server Key Exchange, Server Hello Done
|         |(8281)   <------------------  (443)    |
|11896.507|         [TCP Retransmission           |TLSv1: [TCP Retransmission] Server Hello, Certificate, Server Key Exchange, Server Hello Done
|         |(8281)   <------------------  (443)    |
|11920.507|         [TCP Retransmission           |TLSv1: [TCP Retransmission] Server Hello, Certificate, Server Key Exchange, Server Hello Done
|         |(8281)   <------------------  (443)    |
|11968.507|         [TCP Retransmission           |TLSv1: [TCP Retransmission] Server Hello, Certificate, Server Key Exchange, Server Hello Done
|         |(8281)   <------------------  (443)    |
|12064.507|         [TCP Retransmission           |TLSv1: [TCP Retransmission] Server Hello, Certificate, Server Key Exchange, Server Hello Done
|         |(8281)   <------------------  (443)    |
|12176.076|         https > 8281 [FIN,            |TCP: https > 8281 [FIN, ACK] Seq=934 Ack=202 Win=6432 Len=0
|         |(8281)   <------------------  (443)    |

|Time     | tor client in .kz |
|         |                   | tor bridge in .is |                   
|5.632    |         49398 > https [SYN]           |TCP: 49398 > https [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
|         |(49398)  ------------------>  (443)    |
|5.806    |         https > 49398 [SYN,           |TCP: https > 49398 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380 SACK_PERM=1
|         |(49398)  <------------------  (443)    |
|5.806    |         49398 > https [ACK]           |TCP: 49398 > https [ACK] Seq=1 Ack=1 Win=64860 Len=0
|         |(49398)  ------------------>  (443)    |
|5.806    |         Client Hello                  |TLSv1: Client Hello
|         |(49398)  ------------------>  (443)    |
|5.982    |         https > 49398 [ACK]           |TCP: https > 49398 [ACK] Seq=1 Ack=202 Win=6432 Len=0
|         |(49398)  <------------------  (443)    |
|5.988    |         Server Hello, Certi           |TLSv1: Server Hello, Certificate, Server Key Exchange, Server Hello Done
|         |(49398)  <------------------  (443)    |
|5.994    |         Client Key Exchange           |TLSv1: Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
|         |(49398)  ------------------>  (443)    |
|6.438    |         [TCP Retransmission           |TLSv1: [TCP Retransmission] Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
|         |(49398)  ------------------>  (443)    |
|7.318    |         [TCP Retransmission           |TLSv1: [TCP Retransmission] Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
|         |(49398)  ------------------>  (443)    |
|9.078    |         [TCP Retransmission           |TLSv1: [TCP Retransmission] Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
|         |(49398)  ------------------>  (443)    |
|12.598   |         [TCP Retransmission           |TLSv1: [TCP Retransmission] Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
|         |(49398)  ------------------>  (443)    |
|19.638   |         [TCP Retransmission           |TLSv1: [TCP Retransmission] Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
|         |(49398)  ------------------>  (443)    |
|33.719   |         49398 > https [RST,           |TCP: 49398 > https [RST, ACK] Seq=400 Ack=934 Win=0 Len=0
|         |(49398)  ------------------>  (443)    |

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Cannot finish handshake with directory server (Kazakhstan)
  - From: Alexander Konovalenko
- Re: [tor-talk] Cannot finish handshake with directory server (Kazakhstan)
  - From: andrew

Prev by Author: Re: [tor-talk] Cannot finish handshake with directory server (Kazakhstan)
Next by Author: Re: [tor-talk] Help users in Iran reach the internet
Previous by thread: Re: [tor-talk] Cannot finish handshake with directory server (Kazakhstan)
Next by thread: [tor-talk] keeping track of popular mentions of Tor?
Index(es):
- Author
- Thread