Opened 2 years ago

Closed 3 months ago

#21115 closed enhancement (duplicate)

Building Tor With Static SNI

Reported by: mintu.juit@… Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: easy, intro, torrc, configuration
Cc: Actual Points:
Parent ID: #26425 Points: 1
Reviewer: Sponsor:

Description

I want to have a static value of SNI in TOR in Https Connection. TOR currently uses Random SNI but Firewall is blocking it by checking random SNI.
I have changed crypto_random_hostname to a Static char* in /src/common/tortls.c to a fixed string but after that it is not working.

Child Tickets

Change History (13)

comment:1 Changed 2 years ago by cypherpunks

Component: - Select a componentCore Tor
Priority: HighMedium

Firewall is blocking it by checking random SNI

Are you sure is it about SNI only, maybe it compares SNI and CN from cert instead/too? What kind of firewall is it, can you add more information about it?

comment:2 Changed 2 years ago by cypherpunks

I have changed crypto_random_hostname to a Static char* in /src/common/tortls.c to a fixed string but after that it is not working.

You need to replace another line to change SNI, it will minimize changes too:

SSL_set_tlsext_host_name(tls->ssl, fake_hostname);

Change it to:

SSL_set_tlsext_host_name(tls->ssl, "static.sni.com");

comment:3 in reply to:  1 Changed 2 years ago by mintu.juit@…

Replying to cypherpunks:

Firewall is blocking it by checking random SNI

Are you sure is it about SNI only, maybe it compares SNI and CN from cert instead/too? What kind of firewall is it, can you add more information about it?

It allows connection to Google and Youtube and Google Maps. I have written a sample application that sets the SNI to "www.google.com" and makes connection to any other server . It is working fine by just changing the SNI only. Now i want to do the same thing with tor and for doing that do i need to recompile the code or just use some flags/arguments to be passed while starting tor.

Last edited 2 years ago by mintu.juit@… (previous) (diff)

comment:4 in reply to:  2 Changed 2 years ago by mintu.juit@…

Replying to cypherpunks:

I have changed crypto_random_hostname to a Static char* in /src/common/tortls.c to a fixed string but after that it is not working.

You need to replace another line to change SNI, it will minimize changes too:

SSL_set_tlsext_host_name(tls->ssl, fake_hostname);

Change it to:

SSL_set_tlsext_host_name(tls->ssl, "static.sni.com");

Is there any other way to set static sni in tor or orbot (such as some arguments or flags) ?
do i need to recompile the binary for setting static SNI in tor.

comment:5 Changed 2 years ago by cypherpunks

You need to recompile, there are no arguments/flags to change SNI for either time.

I have written a sample application that sets the SNI to "www.google.com" and makes connection to any other server . It is working fine by just changing the SNI only.

Firewall can to detect Tor itself, by different cipher suites, etc. It's esp true if fortinet or cyberoam used.

comment:6 in reply to:  5 Changed 2 years ago by mintu.juit@…

Replying to cypherpunks:

You need to recompile, there are no arguments/flags to change SNI for either time.

I have written a sample application that sets the SNI to "www.google.com" and makes connection to any other server . It is working fine by just changing the SNI only.

Firewall can to detect Tor itself, by different cipher suites, etc. It's esp true if fortinet or cyberoam used.

Thanks for your reply. can you give some suggestion on where can i find how to cross compile tor for android using NDK .In most of the links i found in internet using these steps i am unable to build it for android.

comment:7 Changed 2 years ago by nickm

Component: Core TorCore Tor/Tor

comment:8 Changed 2 years ago by nickm

Keywords: easy added
Milestone: Tor: 0.3.1.x-final
Type: defectenhancement

comment:9 Changed 2 years ago by nickm

Points: 1

comment:10 Changed 2 years ago by nickm

Keywords: triaged-out-20170308 added
Milestone: Tor: 0.3.1.x-finalTor: unspecified

Deferring all 0.3.1 tickets with status == new, owner == nobody, sponsor == nobody, points > 0.5, and priority < high.

I'd still take patches for most of these -- there's just nobody currently lined up to work on them in this timeframe.

comment:11 Changed 2 years ago by nickm

Keywords: intro torrc configuration added; triaged-out-20170308 removed

comment:12 Changed 3 months ago by cypherpunks

duplicate of #26425 ?

comment:13 Changed 3 months ago by teor

Parent ID: #26425
Resolution: duplicate
Status: newclosed

There's draft code in #26425.

Note: See TracTickets for help on using tickets.