Tor and an HTTPS server sharing port 443 (was: Re: xxx-draft-spec-for-TLS-normalization.txt)

2011/2/2 Jacob Appelbaum <jacob@xxxxxxxxxxxxx>

Hi Bjarni!

Is there any reason that you can't route SSL/TLS traffic to Tor for all
non-SNI requests? Another thing that might work is knowing that all Tor
certificates currently end in .net. So while they're random, it's
certainly possible to know when someone explicitly wants to reach a
different server you certainly know about and isn't in your allowed
lookup table. Anything else can be routed to Tor.

This would work, but the "default fallback" is somewhat of a coveted position as there are lots of web browsers out there that don't send SNI. So in a shared environment you want to define your "favorite" web-site as the default fall-back, not Tor.

I suppose I could add a feature to Pagekite where the default is different for requests with SNI from requests without... best add that to the list, I guess. :-)

OK, I think I've got the required support in pagekite.py for this - it only took 3 lines of tweaks, unless I'm overlooking something. :-)

I haven't got an entry node up and running to test this myself, and am getting on a plane to FOSDEM in the morning so I have to go pack now... but it works for normal HTTPS. If anyone wants to help out and test this on a real entry node, that would save me the hassle, otherwise I'll get around to it myself after the conference and report back.

The code is here: https://github.com/pagekite/PyPagekite/raw/main/pagekite.py
Run it like this:

sudo pagekite.py --clean \
   --isfrontend \
   --ports=443 \
   --protos=https \
   --runas=nobody:nogroup \
   --tls_default=foo.com \
   --backend=https:foo.com:localhost:1443: \
   --backend=https:unknown:localhost:1337:

This should proxy browsers requestiong foo.com and old browsers without SNI to localhost:1443, but any other SNI bearing request will get proxied to port 1337, which is where one would put Tor in this configuration.