Replies: 20 comments 68 replies
-
Sorry but that violates RFC 7686 #10705 |
Beta Was this translation helpful? Give feedback.
-
That's a bit surprising since 0ae0abb was merged after 8.0.1. We could consider adding an option that allows a user to change this behavior. |
Beta Was this translation helpful? Give feedback.
This comment was marked as disruptive content.
This comment was marked as disruptive content.
-
curl implemented this to follow RFC 7686 which states
Applications that do not implement the Tor protocol SHOULD generate an error upon the use of .onion and SHOULD NOT perform a DNS lookup.
curl & libcurl do not implement the Tor protocol, so "Please be reasonable" to me means to follow the RFCs.
|
Beta Was this translation helpful? Give feedback.
-
I think "it breaks my weirdo use case" is a weak argument when there is a clear RFC saying how things should work. |
Beta Was this translation helpful? Give feedback.
-
IIRC we backported @Kangie's patch in Gentoo once it'd been reviewed, but OP was already having issues because we switched to enabling adns by default. We don't do anything else to do with proxies and it's purely their setup. |
Beta Was this translation helpful? Give feedback.
-
Hi all, I thought this might come up (and alluded to it in my PR). I was alerted to this being an "issue" due to Gentoo bug 887287. TL;DR: depending on how cURL was compiled before (using internal or c-ares DNS resolution) you would get different results when attempting to resolve The PR both resolved a longstanding known issue with cURL where we were not respecting RFC7686 and ensured consistency between DNS resolution backends. @kaizushi: You're a Gentoo user. Please feel free to use portages localpatches function to patch out the RFC7686 checks; the PR has been linked here and you only need to worry about the 8 lines in @bagder Sorry about the 8.0.x confusion, the onion resolution stuff got patched in Gentoo a little early as I knew I'd be away for a bit around the 8.0.0 release and wanted to ensure that our users weren't vulnerable. |
Beta Was this translation helpful? Give feedback.
This comment was marked as disruptive content.
This comment was marked as disruptive content.
-
Don't use proxychains with curl, use its flag --socks5-hostname and it should resolve everything properly. @kaizushi in my setup |
Beta Was this translation helpful? Give feedback.
-
Hi, I have implemented a centralized tor outbound in my internal network. As well I implemented a dns resolver for the # curl -vI https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
* Trying *.*.*.*:443...
* Connected to dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion (*.*.*.*) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
* subject: jurisdictionC=US; jurisdictionST=Delaware; businessCategory=Private Organization; serialNumber=4710875; C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=tor.cloudflare-dns.com
* start date: Dec 14 00:00:00 2022 GMT
* expire date: Dec 13 23:59:59 2023 GMT
* subjectAltName: host "dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion" matched cert's "dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
* SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: HEAD]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x557b914e0c70)
> HEAD / HTTP/2
> Host: dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200
HTTP/2 200
< date: Tue, 20 Jun 2023 **:**:** GMT
date: Tue, 20 Jun 2023 **:**:** GMT
< content-type: text/html
content-type: text/html
< nel: {"report_to":"cf-nel","max_age":604800}
nel: {"report_to":"cf-nel","max_age":604800}
< last-modified: Thu, 04 Aug 2022 19:10:01 GMT
last-modified: Thu, 04 Aug 2022 19:10:01 GMT
< strict-transport-security: max-age=31536000
strict-transport-security: max-age=31536000
< served-in-seconds: 0.002
served-in-seconds: 0.002
< cache-control: max-age=600
cache-control: max-age=600
< cf-cache-status: DYNAMIC
cf-cache-status: DYNAMIC
< server: cloudflare
server: cloudflare
<
* Connection #0 to host dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion left intact But with curl 8.1 this behavior was broken (even with the $ curl -vi https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion --resolve "*:443:*.*.*.*"
* Added *:443:*.*.*.* to DNS cache
* RESOLVE *:443 using wildcard
* Not resolving .onion address (RFC 7686)
* Could not resolve host: dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
* Closing connection 0
curl: (6) Not resolving .onion address (RFC 7686) Is it possible to add a compatibility flag to make the old program work as well? |
Beta Was this translation helpful? Give feedback.
-
OK, I'm going to do a drive-by revival of this discussion and then safely ignore it for a while. Current status (July '23):
My personal thoughts are that adding an envvar for this is a short-sighted band-aid solution at best; we (that is, you, the people who care about this) can do better. To quote my last update upstream:
Unfortunately, this isn't something that cURL can resolve. I would encourage those that are interested in this topic to continue the discussion along these lines upstream. The above question (and implied RFC compliance) does bring me to another question that I have: Is transproxying the recommended / sane approach for what you want to do? I see a lot of unsupported claims of better security from individuals with these "interesting" network configurations, but no real-world evidence that it's the better / preferred approach (and I'm not digging into it myself right now, nor will I engage in flame wars on the topic here). Please consider that those using custom transproxy (or SOCKS) configurations make up a very small proportion of total Tor users. My primary concern in this matter is the far greater number of non-technically-inclined users who are at risk of accidentally leaking that they're using Tor to an adversary and ending up imprisoned (or worse...). I don't think that anyone is necessarily wrong for wanting their existing solution to work, but I do think that anyone complaining about this (and not working to find a real solution) is failing to see the bigger picture. If you have the expertise to run a complex environment please revert the cURL RFC 7686 patches and build your own binary (on my laptop that takes about 90 seconds [including running tests]); groups such as Tails or Whonix who provide turnkey environments will probably consider doing this anyway. |
Beta Was this translation helpful? Give feedback.
-
a workaround is to explicitly use a tor socks5h proxy usually this is - torsocks curl http://gg6zxtreajiijztyy5g6bt5o6l3qu32nrg7eulyemlhxwwl6enk6ghad.onion
+ curl --proxy socks5h://127.0.0.1:9050 http://gg6zxtreajiijztyy5g6bt5o6l3qu32nrg7eulyemlhxwwl6enk6ghad.onion - torsocks git clone http://gg6zxtreajiijztyy5g6bt5o6l3qu32nrg7eulyemlhxwwl6enk6ghad.onion/RightToPrivacy/Gitea-Onion
+ git -c remote.origin.proxy=socks5h://127.0.0.1:9050 clone http://gg6zxtreajiijztyy5g6bt5o6l3qu32nrg7eulyemlhxwwl6enk6ghad.onion/RightToPrivacy/Gitea-Onion
+ # TODO ideally avoid this:
+ git -C Gitea-Onion config --add remote.origin.proxy socks5h://127.0.0.1:9050 see also https://gitlab.torproject.org/tpo/core/torsocks/-/issues/40016 - torsocks fails to set socks5h proxy for curl, git, ... - Not resolving .onion address (RFC 7686) |
Beta Was this translation helpful? Give feedback.
-
While this is incredibly admirable open source effort, do be sure this is the right thing to do/concession to make, considering TOR people wrote the RFC that sparked this whole thing. AIUI TOR is intended to be a completely anonymised practically sandboxed browsing experience, libcurl is practically ubiquitous across a huge surface of open source as well as private projects. "App leaks TOR user information due to improper use of libcurl" becomes a possibility with this decision. I'm not implying misuse is the responsibility of you the maintainer, I am simply pointing out that you're opening a door for it that's previously been closed due to adherence to an RFC that intended to close it. |
Beta Was this translation helpful? Give feedback.
-
You need to calm down and consider this from a higher level, broader strokes perspective. It's nothing like potential drug abuse; it does however add rather wide reaching considerations for developers, system administrators, sec ops and code reviewers as soon as the option exists. I'd actually suggest asking TOR to modify the RFC to sanction these kinds of overrides if they're going to happen, so people looking up the TOR spec are informed adequately. Going off spec historically causes problems and this isn't an exception no matter how much you want your own personal little Hackers cosplay to work the way you say it should. |
Beta Was this translation helpful? Give feedback.
-
Hey all, I have started on a pull request to provide the plumbing needed to make the prohibition on |
Beta Was this translation helpful? Give feedback.
-
Can somebody point me to the reason why .onion is not supposed to be resolved by non-tor software? How do we define "Applications that do not implement the Tor protocol"? Say there's a browser that has nothing to do with the Tor protocol, but can be configured to use a socks5 proxy. Is it considered "Applications that do not implement the Tor protocol"? My browser gives me the option to select whether to use proxy for DNS resolution, which has been working sufficiently for me when using Tor circuit. While the DNS problem can be perfectly solved in a very general way aforementioned, why is it necessary to force all non-tor software to give error when resolving .onion domain names? |
Beta Was this translation helpful? Give feedback.
-
It's all in RFC 7686.
|
Beta Was this translation helpful? Give feedback.
-
The RFC in question is dated October 2015. Why is it only implemented recently? |
Beta Was this translation helpful? Give feedback.
-
POP-3 support was added 21 years after the POP-3 RFC came out. That's just when it happened.
|
Beta Was this translation helpful? Give feedback.
-
https://lists.torproject.org/pipermail/tor-dev/2023-November/014862.html provides new insights by Silvio Rhatto from torproject.org. Quote:
So this should be reverted from There was no opposition against options to change these settings either.
The only missing thing is a standardized recommendation how to disable this. Meanwhile I suggest environment variable |
Beta Was this translation helpful? Give feedback.
-
I did this
Curl will not resolve onion addresses anymore on my system. This is because of RFC 7686, and the change was made because of DNS leakage. I have a good handle on any possible DNS leakage and do not need this feature, and it in fact breaks my system. I use transparent proxying, and I am certain DNS leakage is impossible here.
curl/libcurl version
curl 8.0.1 (x86_64-pc-linux-gnu) libcurl/8.0.1 OpenSSL/1.1.1t zlib/1.2.13 libidn2/2.3.4 nghttp2/1.51.0
Release-Date: 2023-03-20
Protocols: dict file ftp ftps http https imap imaps mqtt pop3 pop3s rtsp smtp smtps tftp
Features: AsynchDNS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP UnixSockets
operating system
Gentoo Linux (default/linux/amd64/17.1/hardened/selinux)
Beta Was this translation helpful? Give feedback.
All reactions