Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T15:28:37Zhttps://gitlab.torproject.org/legacy/trac/-/issues/26927Improve the log message when peer id authentication fails2020-06-13T15:28:37ZteorImprove the log message when peer id authentication failsSplit off #26924.Split off #26924.Tor: 0.3.5.x-finalteorteorhttps://gitlab.torproject.org/legacy/trac/-/issues/26925Make link specifier handling in rend-spec-v3 more precise2020-06-13T15:28:36ZteorMake link specifier handling in rend-spec-v3 more preciseSplit off #26627.
We should specify that clients and services must not check untrusted link specifiers against the consensus:
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n1338
https://gitweb.torproject.org/torspec.gi...Split off #26627.
We should specify that clients and services must not check untrusted link specifiers against the consensus:
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n1338
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n1705
Services should also copy unrecognized rend point link specifiers from the introduce cell to the rendezvous join cell.
We can copy the text from the service intro->rend spec:
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n1705
To the the client desc->intro spec:
https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n1338
Thanks to catalyst for picking up on these missing parts of the spec.
Edit: fix line numbersTor: 0.3.5.x-finalteorteorhttps://gitlab.torproject.org/legacy/trac/-/issues/26924Make single onion service to rend and Tor2web to intro link authentication in...2020-06-13T15:28:35ZteorMake single onion service to rend and Tor2web to intro link authentication into a protocol warningSingle onion services and Tor2web connect directly to relays using untrusted link authentication keys.
These connections can cause a lot of warnings, particularly due to the link auth bugs in #26627.
We can either:
* downgrade all link...Single onion services and Tor2web connect directly to relays using untrusted link authentication keys.
These connections can cause a lot of warnings, particularly due to the link auth bugs in #26627.
We can either:
* downgrade all link auth warnings to protocol warnings on single onion services and Tor2web (this is the fast fix)
* taint untrusted link auth keys, and then downgrade connections using tainted keys to protocol warnings (this is very intrusive)Tor: 0.3.5.x-finalteorteorhttps://gitlab.torproject.org/legacy/trac/-/issues/26627HSv3 throws many "Tried connecting to router at [IP:port], but RSA identity k...2020-06-13T15:28:36ZGeorge KadianakisHSv3 throws many "Tried connecting to router at [IP:port], but RSA identity key was not as expected"A popular-ish HSv3 operator contacted me and told me that they've been getting lots of warnings on their logs:
```
[warn] Tried connecting to router at [IP:port], but RSA identity key was not as expected: wanted [hex string] + [base64 s...A popular-ish HSv3 operator contacted me and told me that they've been getting lots of warnings on their logs:
```
[warn] Tried connecting to router at [IP:port], but RSA identity key was not as expected: wanted [hex string] + [base64 string] but got [same hex string] + no ed25519 key.
```
They are afraid it's some sort of downgrade attack. We should look into this.Tor: 0.3.2.x-finalteorteorhttps://gitlab.torproject.org/legacy/trac/-/issues/22460Link handshake trouble: certificates and keys can get out of sync2020-06-13T15:09:51ZteorLink handshake trouble: certificates and keys can get out of syncI'm running a recent tor master as an authority in a tor testing network:
```
[notice] Tor 0.3.1.0-alpha-dev (git-0266c4ac819d9c83) running on Darwin with Libevent 2.1.8-stable, OpenSSL 1.0.2k, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
...I'm running a recent tor master as an authority in a tor testing network:
```
[notice] Tor 0.3.1.0-alpha-dev (git-0266c4ac819d9c83) running on Darwin with Libevent 2.1.8-stable, OpenSSL 1.0.2k, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
```
I get this warning every so often:
```
[warn] Received a bad CERTS cell: Link certificate does not match TLS certificate
```
Is this expected?Tor: 0.3.1.x-final