Opened 4 years ago

Closed 4 years ago

#18013 closed defect (fixed)

ZScaler blocking Tor and bridges in every way possible. Bridges not working.

Reported by: alleyfox Owned by: n8fr8
Priority: Medium Milestone: Tor: 0.2.8.x-final
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When connecting to the Tor network on a network running the ZScaler firewall!, it ALWAYS gets stuck on bootstrapped 10%: Finishing handshake with directory server. I have tried all bridge types : scramblesuit, obfs, and meek. I have also tried running behind firewall with restricted policys. These ALL yield the exact same result. A few helpful details are when connecting to ANY website with SSL, even google, all browsers give a certificate error. Another note is before accessing any webpage besides google, a user must "login".

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by alleyfox

Summary: Orbot: Bootstrapping stuck at 10%: Finishing handshake with directory server. ZScaler blocks Tor and bridges.ZScaler blocks Tor and bridges in every way possible?

comment:2 Changed 4 years ago by alleyfox

Priority: HighVery High
Summary: ZScaler blocks Tor and bridges in every way possible?ZScaler blocking Tor and bridges in every way possible. Bridges not working.

comment:3 Changed 4 years ago by teor

Component: OrbotTor
Milestone: Tor: 0.2.8.x-final
Priority: Very HighMedium

This is caused by all SSL connections being intercepted by ZScaler.
This is not orbot-specific, it would happen with any program that uses tor.

Have you tried meek-google?

Unfortunately, there might not be much we can do about this.
Perhaps the upcoming obfsproxy 5 might resolve this issue.
But if the firewall restricts unknown protocols, we might not be able to help.

What versions of orbot and tor are you using?

comment:4 Changed 4 years ago by cypherpunks

I have tried all bridge types : scramblesuit, obfs, and meek.

What tcp ports they served? Try to use obfs4 listen 443 port.

comment:5 Changed 4 years ago by alleyfox

Resolution: fixed
Status: newclosed

443 is blocked. Fix found. I thought I had tried this but apparently not. Set Tor to operate on port 80 in restrictiove policies mode.

Note: See TracTickets for help on using tickets.