Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #4744
Closed (moved) (moved)
Open
Issue created Dec 19, 2011 by George Kadianakis@asn

GFW probes based on Tor's SSL cipher list

Tim's tests show that GFW is probing v2/v3 bridges based on the Tor cipher list. Tor is using 28 static ciphers (src/common/ciphers.inc) for the SSL ClientHello of the v2/v3 link handshakes, and GFW seems to get agitated by them.

The question mark in the ticket title reflects the fact that this is not 100% verified, even though Tim dodged probing by simply removing two ciphersuites from ciphers.inc [0], when the same ClientHello, but with full ciphers.inc, was always getting probed (IIRC).

Tim said he is gonna look into this soon-ish, so that the question mark can be removed from the title.

In any case, this ticket is to find a good tactic to remove this static fingerprint from Tor's SSL handshake. My patch in [0] might do it, but it doesn't seem very future-proof.

We should probably see what Firefox does, and hope that it doesn't interfere with v2 signalling.

[0]:

diff --git a/src/common/ciphers.inc b/src/common/ciphers.inc
index c84620d..99ec494 100644
--- a/src/common/ciphers.inc
+++ b/src/common/ciphers.inc
@@ -111,16 +111,6 @@
 #else
    XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
 #endif
-#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
-    CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
-#else
-   XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
-#endif
-#ifdef SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA
-    CIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
-#else
-   XCIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
-#endif
 #ifdef TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA
     CIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
 #else
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking