[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Fixing Orchid (again), need help!



Hi,

Seems I could fix Orchid.

The problem is neither Tor nor Orchid, seems the list of OpenJDK's
CipherSuites has been changed (I'm using Debian's OpenJDK 10).

Currently, Orchid contains the code in
src/main/java/com/subgraph/orchid/connections/ConnectionSocketFactory.java
like:

private static final String[] MANDATORY_CIPHERS = {
                      "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
            "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
            "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",};

Then calls socket.setEnabledCipherSuites(MANDATORY_CIPHERS).

Now I changed this MANDATORY_CIPHERS to the result of
socket.getSupportedCipherSuites() and Orchid works again!

private static final String[] MANDATORY_CIPHERS = {
                    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
            "TLS_RSA_WITH_AES_256_CBC_SHA256",
            "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
            "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
            "TLS_RSA_WITH_AES_256_CBC_SHA",
            "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
            "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
            "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
            "TLS_RSA_WITH_AES_128_CBC_SHA",
            "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
            "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
            "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
            "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
            "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
            "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
            "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
            "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
            "TLS_DH_anon_WITH_AES_256_CBC_SHA",
            "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
            "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
            "TLS_DH_anon_WITH_AES_128_CBC_SHA",
            "SSL_RSA_WITH_DES_CBC_SHA",
            "SSL_DHE_RSA_WITH_DES_CBC_SHA",
            "SSL_DHE_DSS_WITH_DES_CBC_SHA",
            "SSL_DH_anon_WITH_DES_CBC_SHA",
            "TLS_RSA_WITH_NULL_SHA256",
            "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
            "TLS_ECDHE_RSA_WITH_NULL_SHA",
            "SSL_RSA_WITH_NULL_SHA",
            "TLS_ECDH_ECDSA_WITH_NULL_SHA",
            "TLS_ECDH_RSA_WITH_NULL_SHA",
            "TLS_ECDH_anon_WITH_NULL_SHA",
            "SSL_RSA_WITH_NULL_MD5",
            "TLS_KRB5_WITH_DES_CBC_SHA",
            "TLS_KRB5_WITH_DES_CBC_MD5",
        };

I'm pretty sure I don't need some of (or maybe most of) them, but it
doesn't exactly correspond to the fixed ciphersuite list (torspec
2.1),  so need some more investigation.

Best regards,
MH

2018年11月18日(日) 23:12 Masayuki Hatta <mhatta@xxxxxxxxx>:
>
> Hi,
>
> Some follow-up on fixing Orchid.
>
> AFAIK Orchid connects one of dir auths and sends a (variable length)
> VERSIONS cell, which seems to be correct.  After a while, the
> connection to the dir auth is closed and gets:
>
> 2018-11-18 14:55:18,919 DEBUG - ConnectionImpl - Closing connection to !bastet!
> connectionControlCells.take = Cell: circuit_id=0 command=0 payload_len=3
>
> I think command=0 is weird (padding?), but I don't know what is
> supposed to be.  Appreciate any hints.
>
> Best regards,
> MH
> 2018年11月9日(金) 10:16 Masayuki Hatta <mhatta@xxxxxxxxx>:
> >
> > Hi, thanks for the comment!
> >
> > Orchid sends "3".
> >
> > In src/main/java/com/subgraph/orchid/connections/ConnectionHandshakeV3.java,
> >
> > void runHandshake() throws IOException, InterruptedException,
> > Connection IOException {
> >                 sendVersions(3);
> >                 receiveVersions();
> >                 recvCerts();
> >                 recvAuthChallengeAndNetinfo();
> >                 verifyCertificates();
> >                 sendNetinfo();
> >         }
> >
> > Currently, Orchid is stuck inside receiveVersions.
> >
> > Best regards,
> > MH
> > 2018年11月9日(金) 0:14 Nick Mathewson <nickm@xxxxxxxxxxxx>:
> > >
> > > On Thu, Nov 8, 2018 at 6:12 AM Masayuki Hatta <mhatta@xxxxxxxxx> wrote:
> > > >
> > > > Hi!
> > > >
> > > > As I wrote here some time ago, I fixed Orchid the Java Tor, and it
> > > > worked for a while.
> > > >
> > > > https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html
> > > >
> > > > Recently (I think it was around July-Aug), Orchid became unworkable
> > > > again.  I'm trying to but can't figure out the cause, so I appreciate
> > > > your help.
> > > >
> > > > Orchid's repo is here: https://github.com/mhatta/Orchid
> > > >
> > > > As far as I could see, now Orchid hangs because it can't receive
> > > > VERSIONS cells so the first handshake with Directory Authorities can't
> > > > be finished.  Some change at Dir Auths (updating new version of Tor, I
> > > > guess)  might cause this, but I can't figure out which changes affect
> > > > this.  Do you have any idea?
> > > >
> > > > Best regards,
> > > What versions does Orchid send in its VERSIONS cell?
> > > --
> > > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe or change other settings go to
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >
> >
> >
> > --
> > Masayuki Hatta
> > Associate Professor, Faculty of Economics and Management, Surugadai
> > University, Japan
> >
> > http://about.me/mhatta
> >
> > mhatta@xxxxxxx  / mhatta@xxxxxxxxxx / mhatta@xxxxxxxxxxxxx /
> > hatta.masayuki@xxxxxxxxxxxxxxx
>
>
>
> --
> Masayuki Hatta
> Associate Professor, Faculty of Economics and Management, Surugadai
> University, Japan
>
> http://about.me/mhatta
>
> mhatta@xxxxxxx  / mhatta@xxxxxxxxxx / mhatta@xxxxxxxxxxxxx /
> hatta.masayuki@xxxxxxxxxxxxxxx



-- 
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan

http://about.me/mhatta

mhatta@xxxxxxx  / mhatta@xxxxxxxxxx / mhatta@xxxxxxxxxxxxx /
hatta.masayuki@xxxxxxxxxxxxxxx
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk