#26776 closed defect (duplicate)

Control port failures for hidden services

Reported by: oqista Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


With Tor on Linux, connect to the control port. Then setconf HiddenServiceDir (to create a new service) and HiddenServicePort, as one command. Then getconf HiddenServiceOptions to make sure it's right.

Now, connect to your new hidden service from another computer, with no authorization. Success, as expected.

Then, setconf HiddenServiceDir (for the same service as before), HiddenServicePort, and HiddenServiceAuthorizeClient, all as one command. Notice the hostname file for the hidden service now contains an auth cookie, as expected.

Finally, connect to the hidden service again from another computer, still with no authorization. Success! But it should fail, since you didn't provide the auth cookie!

To fix it, you have to restart Tor on your server, and do setconf _with_ HiddenServiceAuthorizeClient the first time.

The same bug hits in the other direction too: after you restart Tor to start enforcing the auth cookie, if you do setconf without HiddenServiceAuthorizeClient, then the auth cookie immediately disappears from the hostname file (as expected), but Tor continues enforcing the cookie until you restart.

The same configuration-stickiness bug applies to setconf HidServAuth on the client side too (tested on Linux and Windows). If you try to connect to a hidden service requiring authentication before you set HidServAuth, then of course it fails, but if you then set HidServAuth, it _still_ fails. You have to restart Tor, then set HidServAuth _before_ you try to connect to the hidden service for the first time. Then it will succeed.

Just to be clear: to trigger these bugs, do all the various configurations and reconfigurations exclusively via the control port. Don't set any of them in torrc.

Child Tickets

Change History (3)

comment:1 Changed 19 months ago by Dbryrtfbcbhgf

Have you been able to reproduce this bug on Tor or in the alpha ?

And installing the latest devolment snapshot of Stem may also fix the bugs.
git clone https://git.torproject.org/stem.git

Last edited 19 months ago by Dbryrtfbcbhgf (previous) (diff)

comment:2 Changed 19 months ago by oqista

Reproduced on on Windows. https://www.torproject.org/download/download.html.en has no Windows build for yet, and on Linux my distribution doesn't package it yet.

I'm not using Stem. To reproduce the bugs, talk to Tor's control port directly, e.g. using netcat.

comment:3 Changed 19 months ago by dgoulet

Resolution: duplicate
Status: newclosed

Thanks for this oqista! I've opened #26812 with what I believe is the problem in the code. We'll defer every discussion about this bug there from now on. There might be more things but as we discover them, we'll open tickets if needed. Closing this ticket has duplicate for this purpose.

Thanks again!

Note: See TracTickets for help on using tickets.