logs archiveIRC Archive / Oftc / #tor / 2010 / February / 17 / 1
nsa
or: Karsten Loesing <karsten.loesing@gmx.net>: 2010-02-16 22:19:46 [ernie/master]: Add tools page listing the currently available and upcoming metrics tools.
or: phobos committed revision 21671 (/website/trunk/include): rebuild osx i386 packages with special apple tls renegotiation enabler
or: option.
or: Christopher Davis <chrisd@mangrin.org>: 2010-02-17 03:48:50 [polipo/master]: Update CHANGES.
or: Christopher Davis <chrisd@mangrin.org>: 2010-02-17 04:21:48 [polipo/master]: Add a record of 1.0.4.1 to CHANGES.
zzz_
Hello, I am using Debian Sid with Tor 0.2.1.23 and Vidalia 0.2.7. When I try to connect to the Tor network, Vidalia shows this error: [Warning] TLS error: unexpected close while renegotiating. Is this is a known problem?
arma
zzz_: hey. there's a short thread about it on or-talk. you're person #2 with the problem.
but it only appeared this evening, since 0.2.1.23 basically just came out.
i'm not sure what the story is. your openssl shouldn't have renegotiation disabled.
i wonder if our stable release broke it somehow.
(damn this openssl bug and its fallout.)
zzz_: are you using tor as a client, and it's failing?
zzz_
arma: Yes, I am running as a client only. It has started to give this error very recently.
arma: Actually the Debian changelog might give us a hint: http://packages.debian.org/changelogs/pool/main/t/tor/tor_0.2.1.23-1/changelog
arma
hmmmm.
yes, that does look like a hint.
ok, that's two votes for "the 0.2.1.23 deb is broken". i'll open a flyspray entry.
helix
(Action) tests
zzz_
arma: By the way, Debian has disabled renegotiation since 12 Nov 2009: http://packages.debian.org/changelogs/pool/main/o/openssl/openssl_0.9.8k-8/changelog
arma
zzz_: it's my understanding that debian took the patch from openssl, which turned it off by default but allowed applications to turn it back on
that's different from freebsd, which just hacked the whole feature out, and who cares what the openssl project releases
nsa
or: Christopher Davis <chrisd@mangrin.org>: 2010-02-17 05:30:08 [polipo/master]: Copy changes for 1.0.4.1 back to 1.0.5.
         

zzz_
arma: I just realized I don't know much about this issue. Thanks for the clarification.
arma
helix: https://bugs.torproject.org/flyspray/index.php?do=details&id=1252
zzz_: the challenge on our side was that apple appeared to do what freebsd did (remove the whole feature and basically fork openssl), but actually apple ships include files that don't match their libraries, so the library supported turning it back on, but the .h files didn't have any of the constants we look for to see if your openssl supports turning it back on.
(zero points for apple)
helix
the package still build-deps on libssl-dev, the only difference is that it's not versioned. still, in unstable, it will pick up 0.9.8k-8.
zzz_
arma: I just compiled Tor 0.2.2.8-alpha from source, and it appears to work properly.
arma
"it would"
i think the 0.2.2.8-alpha deb should work for you too.
it's possible that the 0.2.2.9-alpha deb, when it's released, will not. unless we fix this.
zzz_
Sorry, should have asked you.
arma: Would it help if I git bisect?
Hmm... Not many commits anyway.
StrangeCharm
i've been getting a surprising (to me) number of DMCA notices in the last few days. after extensive discussion with my university, i switched my relay to an exit on the 8th. since then, i've recieved 18 dmca takedown requests. my relay is in the USA, the bandwith rate is 100, burst 150, and I think that it uses almost all of that (but haven't checked very hard). am i receiving an abnormal number of requests, or is this par for the c
ourse
i also get a lots of "[warn] Rejected invalid g^x", then "DH key must be at least 2", then "Rejecting insecure DH key [0]" what's that all about?
Sebastian_
that's probably people using ancient versions of Tor, or people trying to build their own Tor client getting it wrong. The warnings have been demoted (and I believe the alpha versions already don't warn about this anymore), because it isn't dangerous for your relay at all.
StrangeCharm
Sebastian_, so it's basically my relay saying something like 'someone aksed for something in spanish. i don't speak spanish. i ignored them' ?
arma
strangecharm: your relay is hearing from tor clients that are trying to do their crypto unsafely.
why are they trying to do their crypto unsafely? i dunno. maybe they are written by people who didn't care to do the crypto right.
your tor relay refuses to talk to them unless they get their crypto right.
and it informs you every time it happens, because back when i wrote that code, i thought you would want to know. :) as sebastian points out, it turns out not everybody does want to know.
StrangeCharm
oh well, seems like no skin off my nose
what about my rate of dmca complaints. is that normal?
Sebastian_
I'm afraid I can't tell you... Do you have an unusual exit policy?
StrangeCharm
exit *.*
Sebastian_
you mean accept *:*?
StrangeCharm
yes, that is what i mean
Sebastian_
ah
yes, I think that's to be expected, then
you're allowing port 25, so email spammers can use your relay. You're allowing all the well-known and still most heavily used bittorrent ports
you might be much happier with the default exit policy
StrangeCharm
doesn't bittorrent sneak around any possible shaping on the line?
Sebastian_
it does, but when it doesn't have to, it won't
StrangeCharm
more precicely: won't bittorrent still exit from my node if i change the policy? or are you saying that bittorrent streams will see if there's another node compatible with not having to do any shenaningans, and exit there instead?
the default policy is https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#Istherealistofdefaultexitports.3F ?
arma
your node probably is performing poorly, because it's overloaded by attention from tor clients that couldn't find anywhere else for their exits
         

Sebastian_
I'm saying that everyone is currently trying to use your node
arma
what's the nickname? i'll check if i'm right
StrangeCharm
wonderland
Sebastian_
StrangeCharm: you don't need to copy that policy, just don't set the ExitPolicy line to get it.
arma
s Exit Fast HSDir Named Running V2Dir Valid
v Tor 0.2.1.22
w Bandwidth=11
bandwidth 102400 153600 191432
yeah. your relay is thinking it can do 100KB/s,
and the bandwidth measurement authorities think it's more like 11KB/s.
you are way overloaded
Sebastian_
arma: can you check for fluxe3 real quick? ;)
arma
w Bandwidth=18
p accept 22,443,993,995
bandwidth 102400 2048000 232259
Sebastian_
looks pretty similar, huh
arma
same, it appears. hm.
node_id=$ED13D1D13C1E57C6A406DD64551D2F905AB99AFF bw=18 diff=-85 nick=fluxe3 measured_at=1266288320
yeah, moria1 thinks fluxe3 is way slower than fluxe3 thinks it is
StrangeCharm
so, my relay has about 10% the throughput i allow it to have?
what's holding it up?
arma
strangecharm: no, it probably has exactly 100% of the throughput you allow.
which means there's no space for anybody else
also, accept *:* means you're allowing the default bittorrent ports, which the default exit policy refuses
Sebastian_
I wonder if fluxe3 is an example of mikeperry's claims that the load balancing is screwed currently.
arma
so all the people who just hooked their bittorrent up to their tor and never read 'please don't do that'? they're all using your exit.
StrangeCharm
sorry, i don't follow. who isn't getting space? or do you mean that the allowed throughput is too close to the throughput of the actual connection to that machine
Sebastian_
StrangeCharm: the measurement idea was just to test out a theory
StrangeCharm
which theory?
Sebastian_
StrangeCharm: many people try to use your relay, becaues it is one of the very few exits allowing all ports
StrangeCharm
that theory was tested by measuring its throughput?
Sebastian_
so load balancing cannot work in this case, because Tors will use your relay whether it's one of the fastest or not, because it allows exiting.
arma
strangecharm: if you remove all the exitpolicy lines from your torrc, your dmca complaints will decrease.
Sebastian_
arma: heh, you're good at repeating what I said :P
(with that I mean: StrangeCharm, trust arma) :-)
arma
a consistent message sinks in better :)
Sebastian_
it totally does :)
any ideas why fluxe3's bw measurement sucks?
StrangeCharm
if i change my exit policy (either explicitly or implicitly) to remove those ports, i'll get less of the default bittorrent traffic, but probably continue to get about 100kbps of traffic in general?
Sebastian_
maybe because it is chosen for exits, but doesn't get the exit flag.
StrangeCharm: yes.
http://trunk.torstatus.kgprog.com/cgi-bin/perlgraph/bandwidthgraph.pl?fp=ED13D1D13C1E57C6A406DD64551D2F905AB99AFF&name=fluxe3&time=month sure looks like fluxe3 is as loaded as it can be
arma
strangecharm: oh hey, you're a princeton student? and you got princeton to let you run an exit relay? woo.
http://trunk.torstatus.kgprog.com/router_detail.php?FP=6708100ac9348bf481a7ac05b559d35811c209b9
yeah, your relay is at exactly 100KB/s usage every moment of every day.
Sebastian
oh hey
people like it
StrangeCharm
arma, yes. it took a year, and extensive meetings, discussions, persuading the general counsel, a dean, among others, but yes, they agreed. that was a week, and 18 complaints ago.
they don't mind, as long as the administrative burden is low. if they have to deal with too many complains, that's a problem, not because they think the complains have value, but because it takes the time of the person who has to answer them.
arma
ah. i would switch to the default exit policy immediately then, before they start hating you.
the complaints will continue to come in for a while, based on what has already happened
StrangeCharm
it's been suggested that the burden is a little high right now, and could i possibly do something about it. so i'm doing something.
arma
i talked to the general counsel at indiana university a year or so back. plus the general counsel at cmu, which ok'ed an exit relay there. i'd be happy to introduce.
georgia tech ran an exit relay for a while. they didn't care about dmca complaints. it was a bomb scare that eventually made them decide they didn't want to keep it running. (some high school kid shut down his school by reporting a bomb via tor)
strangecharm: do you know mike freedman? (a professor at princeton)
StrangeCharm
i think i'm okay right now. after much pushing, i finally got a face-to-face meeting with the people that mattered, and explained roughly how tor works, and what it's for. i explained to the counsel that dmca 512(a) explicitly describes tor. he believes me. they're not extatic, but happy for it to keep going, as long as it doesn't cost too much money in responding to dmca resquest man-hours.
arma, i've met him a few times, but we've never discussed our respective problems, though i did read about his issues on ars technica
arma
more generally, you know about ed felten's group there, yes?
the something policy something innovation group, or whatever they call it
StrangeCharm
yes, i do, i'm a member of the citp undergrad fellows forum, take a class from ed felten, and so on.
arma
great.
StrangeCharm
ceter for information technology policy
*center
i've talked with ed about this, but haven't asked him to get involved: i don't think it's worth his political capital, if i can get things done myself
arma
sounds good. might be best to keep him in the loop a bit, in case you need him later.
StrangeCharm
i keep him updated, but i don't want to overload him with stuff
i feel like the best way to keep him potentially on my side is to keep him interested, but not spam him
arma
makes sense
any other questions i can help with?
StrangeCharm
not right now, but thanks for your help
arma
sure thing. i have a side hobby of trying to help people run tor exit relays at their universities. :)
StrangeCharm
good place to get a foothold?
did i previously tell you that i was at princeton?
arma
i'm not sure. i don't think so.
unless it was years ago
StrangeCharm
did you check my ip?
arma
yep
(actually, torstatus told me without checking)
StrangeCharm
hmn, i thought that i was connecting via tor.
Sebastian
your Tor relay's ip
not the IP of your irc user
(so easy to lose your anonymity)
StrangeCharm
right, that makes a lot more sense
actually, using the myfamily of my relay, you could loacte some of my other computers around the world. there are some serious implications there
Chloe Barnwell
well, that was in the wrong tab
nsa
or: kloesing committed revision 21672 (/projects/archives/trunk/bridge-desc-sanitizer): Make it more clear that Tonga doesn't keep bridge descriptors.
or: Karsten Loesing <karsten.loesing@gmx.net>: 2010-02-17 10:03:23 [ernie/master]: Make it more clear that Tonga doesn't keep bridge descriptors.
weasel
helix: still around?
nsa
or: kloesing committed revision 21673 (/website/trunk/en): The metrics project page is about to die, long live the metrics website.
or: kloesing committed revision 21674 (/website/trunk/projects/en): Delete metrics project page. All contents are on the metrics website.
grumpy3
what is the metrics website?
metrics.torproject.org?
Tas
yep
grumpy3
ok, thx
Tas
yw :-)
grumpy3
"Tor users via bridges"
nsa
or: kloesing committed revision 21675 (/website/trunk): Replace link to metrics project page on translated pages, too.
grumpy3
if bridges are not public, how do we now how many users use them?
s/now/know/
Tas
I think that's data from the bridge authorities
the bridges publish tghat somehow, anonymized
grumpy3
ok
I don't know much about bridges, I should dig a bit
does anyone use arm?
a bit OT... but... can't get it work without some code fixes.
I must do something wrong
Tas
about two years ago I tested Tor on arm, but the current code has probably not much to do with that naymore
at that time it worked fine
grumpy3
Tas: do you know about any other soft like that one or viladia, but for CLI?
Tas
there is an app for CLI which shows what Tor does, if that's what you mean
grumpy3
yep
Tas
not sure what the name was...
grumpy3
I can ask my question in an other way: how can I monitor my remote exit node?
Tas
that app was exactly for that
grumpy3
:)
And its name is... :D
Tas
I'm searching, but can#t find it so far
grumpy3
no prob. I could also try to fix arm...
Sebastian
Tas: that app is called arm
;)
Tas
just found it, too :-)
err, so above was not about the arm architecture? then sorry
Sebastian
no
it was about arm, the advanced relay monitor :)
grumpy3
lol
Tas
I thoughtz it was about arm, as in i386/ppc
etc
grumpy3
i got it
Sebastian
grumpy3: if you're on a BSD-based platform, arm is known to still have some issues.
grumpy3
my english is not very good, was maybe not using the good words :)
not on BSD
gentoo linux
Sebastian
I guess atagar would be interested to see your patches
Tas
so does arm compile on arm? ;-)
grumpy3
is he the apps maintaineer?
Sebastian
Tas: arm is a python script
grumpy3: yes
grumpy3
Sebastian: thx
Tas
oh ok :-)
seems to run fine on my bridge :-)
Sebastian
Tas: neat. I'd advise you to start it with the -b option
« prev 1 2 3 next »