tor/privacy (socks5) option giving ssl error

Ileana ileana at fairieunderground.info
Tue Apr 2 23:05:52 EDT 2013 

On Tue, 2 Apr 2013 21:46:20 -0400
Daniel Atallah <datallah at pidgin.im> wrote:

> >
> > Daniel,
> >
> > Sorry for the lack of context.  I am using tor and pidgin
> > Pidgin 2.10.6 (libpurple 2.10.6), on linux.
> >
> > I am connecting to a normal irc server.
> >
> > It works with socks 5, it doesn't work, and immediately fails, with
> > tor/privacy socks5 with error "ssl connection failed".
> >
> > When I try to connect to an IRC tor hidden service
> > address (blahblahblah.onion) I get:
> > "Unable to connect: Aborting DNS lookup in Tor Proxy mode."
> >
> > When I try to connect to a regular IRC address/hostname, I get "SSL
> > Connection Failed".
> 
> You'll need to provide more details - a sanitized debug log
> (Help->Debug Window) from when it tries to connect should help.
> 

(21:49:24) account: Connecting to account foo44353 at irc.oftc.net.
(21:49:24) connection: Connecting. gc = 0xb83c3868
(21:49:24) dnsquery: Performing DNS lookup for localhost
(21:49:24) dnsquery: Aborting DNS lookup in Tor Proxy mode.
(21:49:24) proxy: Connection attempt failed: Aborting DNS lookup in Tor Proxy mode.
(21:49:24) connection: Connection error on 0xb83c3868 (reason: 0 description: SSL Connection Failed)
(21:49:24) account: Disconnecting account foo44353 at irc.oftc.net (0xb7c39428)
(21:49:24) connection: Disconnecting connection 0xb83c3868
(21:49:24) connection: Destroying connection 0xb83c3868
(21:49:28) autorecon: do_signon called
(21:49:28) autorecon: calling purple_account_connect

I don't understand this...it says it is doing dns lookup for localhost?

Ahh! I found it...I had "localhost" in the settings rather then
127.0.0.1.

When I set it to 127.0.0.1 for the proxy host, it works.  I see, it
cuts off all local dns requests, including looking at the host file.

I am not sure if this should be documented...most other applications
(firefox, thunderbird, etc) have the option to do some names locally,
in particular, localhost should usually work.  This may be considered a
minor bug?


> 
> Again, it's hard to say without more information.  It's not possible
> to do all DNS requests through the proxy - you can pass a hostname to
> the proxy and have it resolve it, but e.g. a SRV request can't be done
> through a proxy.


> 
> No, that checkbox is globally applied, it doesn't need to be more
> granularly applied.

Perhaps you are right.  And I am mixed up in my statements.  socks 4
you have the option local/remote dns.  socks4a seems to automatically
do remote, no option, but pidgin doesn't seem to do socks4a.  And socks5
again the option, but it seems the common setting is to do remote
lookup.  

> 
> > I am concerned some users may be using pidgin incorrectly.  But you
> > might be right that it is a dns problem, and it is attempting the
> > lookup locally.  In the case of the TAILS OS, all dns is
> > transparently routed over the tor, so local dns gets resolved, and
> > that would work. But for most privacy users, local dns queeries are
> > a big no-no, yet they need to be done, and hence are done via socks
> > 5 at proxy end.
> >
> > What is the workaround now? Use socks4 and make the changes? Is it
> > sufficient to turn off unpp and disable uneccessary plugins, or is
> > the tor/privacy setting doing stuff in the code that an end user
> > can't set manually?  I.E. If I just use socks5 and disable plugins,
> > is that enough?  Does it do anything versus cctp/ping/dcc etc?
> 
> TAILS is pretty much irrelevant from the application perspective.
> I'm going to hold off answering the rest because we don't know what
> the problem is.
> 
OK...I see what you are saying.  I see how TAILS should be irrelevant
from the application end...up into the point the application itself is
sending out information that could deanoymize the client.  TAILS really
can't do anything about that, hence I like that pidgin is
compartmentalizing the problem by having this privacy setting.  I just
think it should be documented exactly what it is doing.

It seems your Tor/Privacy mode should keep the user, by any means
possible, from doing un-intentional loss of private information at the
application level.

Thanks for helping me resolve this, and your obvious work on this app,
which is really nice. I guess I will have to look at the code to see
exactly what is the difference from the socks5/torprivacy setting?  You
mentioned, obviously, it blocking DNS, and we see that here.  I am
wanting a full list of differences.

More information about the Support mailing list