strange SOCKS error code when connecting to a hidden service using the wrong port
I set up two distinct hidden services, HTTP(80) and SSH(22) on my machine (since I didn't know you could put multiple records under a single service).
Today I made the mistake of connecting to the HTTP service using port 22 (took the HTTP service's url, stripped the http part, entered into PuTTY). The returned error code was 0x02 = connection not allowed by ruleset. This message made me very confused, since it somehow implies that my SOCKS settings were somehow blocking the connection. But that was not the case.
What happened on the TOR back-end was, my request got received, the remote TOR server found that my port was not on the list of ports associated with that particular onion hostname, and rejected the connection attempt. Finally, my TOR client, trying to be as clever as informative as possible, returned that specific error code.
While the error code does in some sense describe what happened internally, I do not think that 0x02 is appropriate for this scenario. I did not study the SOCKS specification, however I'm assuming that "ruleset" refers to the access control rules implemented on the daemon that's providing the tunnel, and not on the remote endpoint (the target machine is oblivious to SOCKS and just sees an incoming TCP connection, so it can't react in any way).
My proposal is to change this error code to reduce confusion and help users identify the cause of the problem (between keyboard and chair in my case :). Which one to use? I suggest 0x05 = connection refused by destination host. "Connection refused" is what you normally get if the destination machine has nothing running on the requested port (and there's no firewall to hide that).
Visualize a single hidden service as a physical machine running somewhere on the internet, with stuff listening only on ports associated with that HS. In that case, connecting to a wrong port would give TCP "connection refused". And TOR hidden service isolation seems to be making virtual servers like this. So why shouldn't it be returning this error code instead?
PS: Also think of SOCKS client software that might get confused by this error code. PS2: You could test the effectiveness of this change by taking a group of people, giving them a setup like mine, asking them to troubleshoot the issue and timing them. Whichever group can figure out what the problem is faster has the better error code.
[Automatically added by flyspray2trac: Operating System: All]