Opened 9 months ago

Last modified 8 months ago

#29700 new defect

ntor handshake auth failures with RPs

Reported by: mikeperry Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs ntor mystery
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

My vanguards addon was detecting dropped cells on my v3 service side due to ntor failures to client chosen RPs. This happened while testing vanguards 0.3.0 with tor 0.4.0.2-alpha and a v3 onion service that was only for my testing.

This corresponded to control port lines like:

DEBUG[Thu Mar 07 09:51:28 2019]: 650 CIRC 12674 FAILED $DD5DA21CC5036533AE2010DE2C7E72BE2CDF9C5E~Unnamed,$28C52CDBB78DA46124DA62EC1D6796689E719210~ayb,$516C2CCBB1502B7E46E4265D82474257324DF8E2~Unnamed,$E37724D8AD87B149EAD2F3DFD3E1681624AC9EE0~sheldon BUILD_FLAGS=IS_INTERNAL,NEED_CAPACITY,NEED_UPTIME PURPOSE=HS_SERVICE_REND HS_STATE=HSSR_CONNECTING REND_QUERY=jxzsbx2wov6yrzwysw7mbmxal2ab6vwje745djczv4kyxe36a2rhmnid TIME_CREATED=2019-03-07T09:47:54.889121 REASON=TORPROTOCOL

Which matched loglines:

Mar 07 09:51:28.000 [info] onion_skin_ntor_client_handshake(): Invalid result from curve25519 handshake: 4
Mar 07 09:51:28.000 [info] circuit_mark_for_close_(): Circuit 3610696346 (id: 12674) marked for close at src/core/or/relay.c:1731 (orig reason: 1, new reason: 0)
Mar 07 09:51:28.000 [info] circuit_build_failed(): Couldn't connect to the client's chosen rend point "" (last hop failed).
Mar 07 09:51:28.000 [info] can_relaunch_service_rendezvous_point(): Attempt to build a rendezvous circuit to [scrubbed] has failed with 1 attempts and expiry time 1551952317. Giving up building.

I caused this by using Tor version 0.3.5.7 (git-9beb085c10562a25) to connect to my HS like so:

while [ true ]; do
  torsocks wget  http://$MYV3_ONION_NAME.onion/404 -O /dev/null
  killall -HUP tor;
done

That v3 404 url is in fact non-existent -- it does just send back a HTTP 404.

I think this might be caused by just normal onion key rotation of the RP... In which case there might now be anything we can do?

Child Tickets

Change History (2)

comment:1 Changed 9 months ago by mikeperry

Keywords: tor-hs added

comment:2 Changed 8 months ago by nickm

Keywords: ntor mystery added
Milestone: Tor: unspecified
Note: See TracTickets for help on using tickets.