[tor-talk] Fixing Orchid (again), need help!

2018-11-08 Thread Masayuki Hatta
Hi!

As I wrote here some time ago, I fixed Orchid the Java Tor, and it
worked for a while.

https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html

Recently (I think it was around July-Aug), Orchid became unworkable
again.  I'm trying to but can't figure out the cause, so I appreciate
your help.

Orchid's repo is here: https://github.com/mhatta/Orchid

As far as I could see, now Orchid hangs because it can't receive
VERSIONS cells so the first handshake with Directory Authorities can't
be finished.  Some change at Dir Auths (updating new version of Tor, I
guess)  might cause this, but I can't figure out which changes affect
this.  Do you have any idea?

Best regards,
MH

--
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan

http://about.me/mhatta

mha...@gnu.org  / mha...@debian.org / mha...@opensource.jp /
hatta.masay...@surugadai.ac.jp
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


Re: [tor-talk] Fixing Orchid (again), need help!

2018-11-08 Thread Nick Mathewson
On Thu, Nov 8, 2018 at 6:12 AM Masayuki Hatta  wrote:
>
> Hi!
>
> As I wrote here some time ago, I fixed Orchid the Java Tor, and it
> worked for a while.
>
> https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html
>
> Recently (I think it was around July-Aug), Orchid became unworkable
> again.  I'm trying to but can't figure out the cause, so I appreciate
> your help.
>
> Orchid's repo is here: https://github.com/mhatta/Orchid
>
> As far as I could see, now Orchid hangs because it can't receive
> VERSIONS cells so the first handshake with Directory Authorities can't
> be finished.  Some change at Dir Auths (updating new version of Tor, I
> guess)  might cause this, but I can't figure out which changes affect
> this.  Do you have any idea?
>
> Best regards,
What versions does Orchid send in its VERSIONS cell?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


Re: [tor-talk] Fixing Orchid (again), need help!

2018-11-09 Thread Masayuki Hatta
Hi, thanks for the comment!

Orchid sends "3".

In src/main/java/com/subgraph/orchid/connections/ConnectionHandshakeV3.java,

void runHandshake() throws IOException, InterruptedException,
Connection IOException {
sendVersions(3);
receiveVersions();
recvCerts();
recvAuthChallengeAndNetinfo();
verifyCertificates();
sendNetinfo();
}

Currently, Orchid is stuck inside receiveVersions.

Best regards,
MH
2018年11月9日(金) 0:14 Nick Mathewson :
>
> On Thu, Nov 8, 2018 at 6:12 AM Masayuki Hatta  wrote:
> >
> > Hi!
> >
> > As I wrote here some time ago, I fixed Orchid the Java Tor, and it
> > worked for a while.
> >
> > https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html
> >
> > Recently (I think it was around July-Aug), Orchid became unworkable
> > again.  I'm trying to but can't figure out the cause, so I appreciate
> > your help.
> >
> > Orchid's repo is here: https://github.com/mhatta/Orchid
> >
> > As far as I could see, now Orchid hangs because it can't receive
> > VERSIONS cells so the first handshake with Directory Authorities can't
> > be finished.  Some change at Dir Auths (updating new version of Tor, I
> > guess)  might cause this, but I can't figure out which changes affect
> > this.  Do you have any idea?
> >
> > Best regards,
> What versions does Orchid send in its VERSIONS cell?
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk



-- 
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan

http://about.me/mhatta

mha...@gnu.org  / mha...@debian.org / mha...@opensource.jp /
hatta.masay...@surugadai.ac.jp
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


Re: [tor-talk] Fixing Orchid (again), need help!

2018-11-18 Thread Masayuki Hatta
Hi,

Some follow-up on fixing Orchid.

AFAIK Orchid connects one of dir auths and sends a (variable length)
VERSIONS cell, which seems to be correct.  After a while, the
connection to the dir auth is closed and gets:

2018-11-18 14:55:18,919 DEBUG - ConnectionImpl - Closing connection to !bastet!
connectionControlCells.take = Cell: circuit_id=0 command=0 payload_len=3

I think command=0 is weird (padding?), but I don't know what is
supposed to be.  Appreciate any hints.

Best regards,
MH
2018年11月9日(金) 10:16 Masayuki Hatta :
>
> Hi, thanks for the comment!
>
> Orchid sends "3".
>
> In src/main/java/com/subgraph/orchid/connections/ConnectionHandshakeV3.java,
>
> void runHandshake() throws IOException, InterruptedException,
> Connection IOException {
> sendVersions(3);
> receiveVersions();
> recvCerts();
> recvAuthChallengeAndNetinfo();
> verifyCertificates();
> sendNetinfo();
> }
>
> Currently, Orchid is stuck inside receiveVersions.
>
> Best regards,
> MH
> 2018年11月9日(金) 0:14 Nick Mathewson :
> >
> > On Thu, Nov 8, 2018 at 6:12 AM Masayuki Hatta  wrote:
> > >
> > > Hi!
> > >
> > > As I wrote here some time ago, I fixed Orchid the Java Tor, and it
> > > worked for a while.
> > >
> > > https://lists.torproject.org/pipermail/tor-talk/2018-April/044133.html
> > >
> > > Recently (I think it was around July-Aug), Orchid became unworkable
> > > again.  I'm trying to but can't figure out the cause, so I appreciate
> > > your help.
> > >
> > > Orchid's repo is here: https://github.com/mhatta/Orchid
> > >
> > > As far as I could see, now Orchid hangs because it can't receive
> > > VERSIONS cells so the first handshake with Directory Authorities can't
> > > be finished.  Some change at Dir Auths (updating new version of Tor, I
> > > guess)  might cause this, but I can't figure out which changes affect
> > > this.  Do you have any idea?
> > >
> > > Best regards,
> > What versions does Orchid send in its VERSIONS cell?
> > --
> > tor-talk mailing list - tor-talk@lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
>
>
> --
> Masayuki Hatta
> Associate Professor, Faculty of Economics and Management, Surugadai
> University, Japan
>
> http://about.me/mhatta
>
> mha...@gnu.org  / mha...@debian.org / mha...@opensource.jp /
> hatta.masay...@surugadai.ac.jp



-- 
Masayuki Hatta
Associate Professor, Faculty of Economics and Management, Surugadai
University, Japan

http://about.me/mhatta

mha...@gnu.org  / mha...@debian.org / mha...@opensource.jp /
hatta.masay...@surugadai.ac.jp
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


Re: [tor-talk] Fixing Orchid (again), need help!

2018-11-19 Thread Masayuki Hatta
Hi,

Seems I could fix Orchid.

The problem is neither Tor nor Orchid, seems the list of OpenJDK's
CipherSuites has been changed (I'm using Debian's OpenJDK 10).

Currently, Orchid contains the code in
src/main/java/com/subgraph/orchid/connections/ConnectionSocketFactory.java
like:

private static final String[] MANDATORY_CIPHERS = {
  "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",};

Then calls socket.setEnabledCipherSuites(MANDATORY_CIPHERS).

Now I changed this MANDATORY_CIPHERS to the result of
socket.getSupportedCipherSuites() and Orchid works again!

private static final String[] MANDATORY_CIPHERS = {
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
"TLS_DH_anon_WITH_AES_256_GCM_SHA384",
"TLS_DH_anon_WITH_AES_128_GCM_SHA256",
"TLS_DH_anon_WITH_AES_256_CBC_SHA256",
"TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_256_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA256",
"TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
"TLS_DH_anon_WITH_AES_128_CBC_SHA",
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_DH_anon_WITH_DES_CBC_SHA",
"TLS_RSA_WITH_NULL_SHA256",
"TLS_ECDHE_ECDSA_WITH_NULL_SHA",
"TLS_ECDHE_RSA_WITH_NULL_SHA",
"SSL_RSA_WITH_NULL_SHA",
"TLS_ECDH_ECDSA_WITH_NULL_SHA",
"TLS_ECDH_RSA_WITH_NULL_SHA",
"TLS_ECDH_anon_WITH_NULL_SHA",
"SSL_RSA_WITH_NULL_MD5",
"TLS_KRB5_WITH_DES_CBC_SHA",
"TLS_KRB5_WITH_DES_CBC_MD5",
};

I'm pretty sure I don't need some of (or maybe most of) them, but it
doesn't exactly correspond to the fixed ciphersuite list (torspec
2.1),  so need some more investigation.

Best regards,
MH

2018年11月18日(日) 23:12 Masayuki Hatta :
>
> Hi,
>
> Some follow-up on fixing Orchid.
>
> AFAIK Orchid connects one of dir auths and sends a (variable length)
> VERSIONS cell, which seems to be correct.  After a while, the
> connection to the dir auth is closed and gets:
>
> 2018-11-18 14:55:18,919 DEBUG - ConnectionImpl - Closing connection to 
> !bastet!
> connectionControlCells.take = Cell: circuit_id=0 command=0 payload_len=3
>
> I think command=0 is weird (padding?), but I don't know what is
> supposed to be.  Appreciate any hints.
>
> Best regards,
> MH
> 2018年11月9日(金) 10:16 Masayuki Hatta :
> >
> > Hi, thanks for the comment!
> >
> > Orchid sends "3".
> >
> > In src/main/java/com/subgraph/orchid/connections/ConnectionHandshakeV3.java,
> >
> > void runHandshake() throws IOException, InterruptedException,
> > Connection IOException

Re: [tor-talk] Fixing Orchid (again), need help!

2018-11-19 Thread grarpamp
You could likely remove the ones not mentioned
in torspec or the tor code, most of which are deprecated,
and potentially add compatibility for these tls 1.3 suites
from openssl 1.1.1 in case tor goes adds them later,
so long as current tor does not reject hello's with them...

TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk