Skip to content

If I have two bridge lines with the same fingerprint, Tor only tries one of them

Start Tor configured with two bridges that have the same identity fingerprint:

$ src/app/tor usebridge 1 bridge "obfs4 45.145.95.6:27015 C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C cert=TD7PbUO0/0k6xYHMPW3vJxICfkMZNdkRrb63Zhl5j9dW3iRGiCx0A7mPhe5T2EDzQ35+Zw iat-mode=0" bridge "obfs4 [2a0c:4d80:42:702::1]:27015 C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C cert=TD7PbUO0/0k6xYHMPW3vJxICfkMZNdkRrb63Zhl5j9dW3iRGiCx0A7mPhe5T2EDzQ35+Zw iat-mode=0"

My Tor connects to the IPv4 address and successfully pulls down a descriptor:

Nov 16 14:41:25.866 [notice] new bridge descriptor 'dktoke' (fresh): $C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C~dktoke [jvQiwW4F56WErOOOEUDVkIOO65AYIAm8qy2z7oiSmD4] at 45.145.95.6

Then later it decides that it should use the IPv6 address instead:

Nov 16 14:41:26.163 [notice] Bridge 'dktoke' has both an IPv4 and an IPv6 address.  Will prefer using its IPv6 address ([2a0c:4d80:42:702::1]:27015) based on the configured Bridge address.

But since I don't have working ipv6, that new connect attempt fails:

Nov 16 14:41:37.179 [warn] Proxy Client: unable to connect OR connection (handshaking (proxy)) with [2a0c:4d80:42:702::1]:27015 ID=jvQiwW4F56WErOOOEUDVkIOO65AYIAm8qy2z7oiSmD4 RSA_ID=C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C ("general SOCKS server failure")
Nov 16 14:41:38.209 [warn] Proxy Client: unable to connect OR connection (handshaking (proxy)) with [2a0c:4d80:42:702::1]:27015 ID=jvQiwW4F56WErOOOEUDVkIOO65AYIAm8qy2z7oiSmD4 RSA_ID=C5B7CD6946FF10C5B3E89691A7D3F2C122D2117C ("general SOCKS server failure")
Nov 16 14:41:39.171 [notice] Delaying directory fetches: No running bridges

And I am left with a disconnected Tor, when it clearly was able to use the IPv4 address, but it just chooses not to.

I found this bug because Tor Browser actually sets both of the above bridges when you ask to use the built-in obfs4 bridges, and Tor ends up ignoring the IPv4 one, even if it's the only one of the two which works -- which is probably not what the Tor Browser folks expected.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information