Opened 10 years ago

Closed 9 years ago

Last modified 7 years ago

#1145 closed defect (fixed)

Tor fails to load auth-certs

Reported by: knappo Owned by:
Priority: Low Milestone: Tor: 0.2.2.x-final
Component: Core Tor/Tor Version: 0.2.1.20
Severity: Keywords: easy
Cc: knappo, Sebastian, arma, nickm, karsten Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by nickm)

Used the Tor Browser Bundle 1.2.9 under Windows 7 x64 German.

Worked smoothly, but today it was unable to build a circuit. Log and the Tor-Data is attached.

[Automatically added by flyspray2trac: Operating System: Windows Vista]

Child Tickets

Attachments (7)

Datafolder-Task#1145.zip (920.0 KB) - added by knappo 10 years ago.
Datafolder (without geoip)
Log-notice-Task#1145.txt (1.3 KB) - added by knappo 10 years ago.
Log-info-Task#1145.txt (282.5 KB) - added by knappo 10 years ago.
Log-info-Task#1145-second-try.txt (304.3 KB) - added by knappo 10 years ago.
Log-notice-Task#1145-second-try.txt (2.5 KB) - added by knappo 10 years ago.
Log-info-Task#1145-third-try.txt (259.2 KB) - added by knappo 10 years ago.
Log-notice-Task#1145-third-try.txt (2.1 KB) - added by knappo 10 years ago.

Download all attachments as: .zip

Change History (29)

Changed 10 years ago by knappo

Attachment: Datafolder-Task#1145.zip added

Datafolder (without geoip)

Changed 10 years ago by knappo

Attachment: Log-notice-Task#1145.txt added

Changed 10 years ago by knappo

Attachment: Log-info-Task#1145.txt added

comment:1 Changed 10 years ago by knappo

Interestingly, as you can see in the [info]level log, Tor managed to build a circuit this time. I really don't know why it succeded this time...

Changed 10 years ago by knappo

comment:2 Changed 10 years ago by knappo

Think the "problem" is resolved, as it now suceedes every time I start Vidalia. (takes ~5 min to establish a circuit). Aren't Heisenbugs banned from this bugtracker?

comment:3 Changed 10 years ago by knappo

Correction: Seems not solved at all. And it get's stranger as I type...

Loglevel [info]: Tor connects after ~5 min

Loglevel [notice]: Tor DOES NOT connect after 15 min+

(tried this 2times for each verbosity)

Changed 10 years ago by knappo

Changed 10 years ago by knappo

comment:4 Changed 10 years ago by knappo

Tried it three times now (sorry for the log-spam)

Just hope you can find the problem with the data.

BTW: Deleting the tor-data directory helps in this case.

Changed 10 years ago by knappo

comment:5 Changed 10 years ago by arma

Nov 10 23:23:21.666 [Warning] 1 unknown, 1 missing key, 3 good, 0 bad, 1 no signature, 4 required

Looks like some directory mirrors are giving out consensuses that don't
have enough signatures on them for Tor clients to believe them?

My guess is 'urras' is the unknown, dannenberg is the no signature, ides is the
missing key. That leaves moria1, gabelmoo, tor26, and dizum.

And I think dizum is broken since I asked him to change his IP address but he didn't
fully change it. Somebody should follow up with the thread to Alex and get him to make
his authority work again -- somebody who runs an authority so sees the warnings we're
getting from dizum.

comment:6 Changed 9 years ago by arma

Ok to close this one, on the theory that the particular combination
of directory authority versions that caused it is now gone (or at least
different)?

comment:7 Changed 9 years ago by nickm

Milestone: Tor: 0.2.2.x-final

Let's give a better warning for 0.2.2.x, then close.

comment:8 Changed 9 years ago by nickm

Description: modified (diff)
Keywords: easy added

Marking as "easy", since the fix we concluded that we required is just cleaning up the stupid and incomprehensible message

Nov 10 23:23:21.666 [Warning] 1 unknown, 1 missing key, 3 good, 0 bad, 1 no signature, 4 required

comment:9 Changed 9 years ago by cjb

This one's a duplicate of #1290, I think.

comment:10 Changed 9 years ago by nickm

Well, they're related. For 1290, our problem was the "missing key" signatures where we had no certs to verify them. For this, the problem was more confusing. Still, a fix to one might fix both.

comment:11 Changed 9 years ago by nickm

Status: newneeds_review

See branch "pretty-signature-log" in my public repo. It addresses 1290 too.

comment:12 Changed 9 years ago by Sebastian

I'm not really happy with this patch. It does make the warning appear less often during normal bootstrapping, and instead of one warning it gives lots:

[notice] OpenSSL OpenSSL 0.9.8l 5 Nov 2009 looks like version 0.9.8l; I will try SSL3_FLAGS to enable renegotation.
[notice] No current certificate known for authority moria1; launching request.
[notice] No current certificate known for authority tor26; launching request.
[notice] No current certificate known for authority dizum; launching request.
[notice] No current certificate known for authority ides; launching request.
[notice] No current certificate known for authority gabelmoo; launching request.
[notice] No current certificate known for authority dannenberg; launching request.
[notice] No current certificate known for authority urras; launching request.
[notice] No current certificate known for authority maatuska; launching request.
[notice] Bootstrapped 5%: Connecting to directory server.
[notice] I learned some more directory information, but not enough to build a circuit: We have no network-status consensus.
[notice] Bootstrapped 10%: Finishing handshake with directory server.
[notice] Bootstrapped 15%: Establishing an encrypted directory connection.
[notice] Bootstrapped 20%: Asking for networkstatus consensus.
[notice] Bootstrapped 25%: Loading networkstatus consensus.
[warn] Consensus includes unrecognized authority 'gabelmoo-legacy' at 80.190.246.100:8180 (contact n/a; identity 81349FC1F2DBA2C2C11B45CB9706637D480AB913)
[warn] Consensus includes unrecognized authority 'moria1-legacy' at 128.31.0.34:9131 (contact n/a; identity E2A2AF570166665D738736D0DD58169CC61D8A8B)
[warn] Looks like we need to download a new certificate from authority 'tor26' at 86.59.21.38:80 (contact Peter Palfrader; identity 14C131DFC5C6F93646BE72FA1401C02A8DF2E8B4)
[warn] Looks like we need to download a new certificate from authority 'ides' at 216.224.124.114:9030 (contact Mike Perry <mikeperryTAfsckedTODorg>; identity 27B6B5996C426270A5C95488AA5BCEB6BCC86956)
[warn] Looks like we need to download a new certificate from authority 'maatuska' at 213.115.239.118:443 (contact 4096R/23291265 Linus Nordberg <linus@nordberg.se>; identity 49015F787433103580E3B66A1707A00E60F2D15B)
[warn] Looks like we need to download a new certificate from authority 'dannenberg' at dannenberg.ccc.de:80 (contact Andreas Lehner <anonymizer@ccc.de>; identity 585769C78764D58426B8B52B6651A5A71137189A)
[warn] Looks like we need to download a new certificate from authority 'urras' at 208.83.223.34:443 (contact 4096R/E012B42D Jacob Appelbaum <jacob@appelbaum.net>; identity 80550987E1D626E3EBA5E5E75A458DE0626D088C)
[warn] Looks like we need to download a new certificate from authority 'moria1' at 128.31.0.34:9131 (contact 1024D/28988BF5 arma mit edu; identity D586D18309DED4CD6D57C18FDB97EFA96D330566)
[warn] Looks like we need to download a new certificate from authority 'dizum' at 194.109.206.212:80 (contact 1024R/8D56913D Alex de Joode <adejoode@sabotage.org>; identity E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58)
[warn] Looks like we need to download a new certificate from authority 'gabelmoo' at 80.190.246.100:8180 (contact 1024D/F7C11265 Karsten Loesing <karsten dot loesing AT gmx dot net>; identity ED03BB616EB2F60BEC80151114BB25CEF515B226)
[warn] A consensus needs 5 good signatures from recognized authorities for us to accept it. This one has 0. 2 of the authorities we know didn't sign it. It has 2 signatures from authorities we don't recognize. We were unable to check 8 of the signatures, because we were missing the keys.
[notice] I learned some more directory information, but not enough to build a circuit: We have no network-status consensus.
[notice] Bootstrapped 40%: Loading authority key certs.
[notice] Bootstrapped 45%: Asking for relay descriptors.

IMO what we should do here is to make sure we don't warn as easily, especially because the warning happens frequently even on good connections.

comment:13 Changed 9 years ago by Sebastian

erm. above I meant to say "It does NOT make the warning appear less often"

comment:14 Changed 9 years ago by nickm

Well, the relevant change in the #1290 fix (ignoring the shift in the message format) is to use the chosen severity level consistently by logging at "severity" rather than "INFO". It's trying to make the warning more informative, not more infrequent.

That said, making it more infrequent by changing the severity as appropriate would be a fine thing. Under what circumstances should networkstatus_check_consensus_signature get quieter? Should we call with lower values of "warn" more often, or should we change the semantics by which "severity" is set?

comment:15 Changed 9 years ago by nickm

Here's a thought: we could make it so the severity is at INFO if the number of missing certificates is sufficient on its own to make the consensus potentially good, since we're trying to download all missing certificates.

Of course, probably we don't want to do this for any certs that we've tried to download a couple of times and failed at getting.

I'll try to hack this up.

comment:16 Changed 9 years ago by nickm

See the updated prettier-signature-log branch.

comment:17 in reply to:  15 Changed 9 years ago by arma

Replying to nickm:

Here's a thought: we could make it so the severity is at INFO if the number of missing certificates is sufficient on its own to make the consensus potentially good, since we're trying to download all missing certificates.

The original idea was that the cryptic log message would appear at whatever severity the other log messages appear. So if there's a warn, it hopefully actually tells you what the issue is, and as a bonus, there's this cryptic log message that is useful for developers.

And if no warn, then the cryptic log message shouldn't be a warn.

comment:18 Changed 9 years ago by nickm

Well, I took a different tack. With luck, the cryptic message is no longer cryptic, so there's no need for a bonus message. And the use of "warn" is now chosen a little more judiciously.

See prettier-signature-log branch in my public for full details.

comment:19 Changed 9 years ago by nickm

Oops; the name of the branch is still "pretty-signature-log"

comment:20 Changed 9 years ago by Sebastian

Yup, I think that looks good.

comment:21 Changed 9 years ago by nickm

Resolution: Nonefixed
Status: needs_reviewclosed

Merged branch; thanks!

comment:22 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.