tinc behind sslh

Varda Zklir v20z at yahoo.com
Sat Nov 12 18:01:02 CET 2011


Thanks for your quick reply Guus.

> The problem is in sslh. There is a bug in the detection of
> tinc's protocol,
> which the attached patch should fix.

I've already tried something similar but less refined, simply with:

int is_tinc_protocol( const char *p, int len)
{
    return !strncmp(p, "0 ", 2);
}

Which should return 1. But this has no effect because there is no "0 " from client. Below is tcpdump output between "Trying to connect" and "Closing connection". There even not present identification "0 client 17.0"

# tcpdump -Xni int0 port 443
21:33:47.406219 IP 192.168.0.2.19781 > 192.168.0.1.443: Flags [S], seq 888227560, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 615000295 ecr 0], length 0
        0x0000:  4500 003c b31b 4000 4006 0554 c0a8 0001  E..<.. at .@..T....
        0x0010:  c0a8 00fb 4d45 007b 34f1 46e8 0000 0000  ....ME.{4.F.....
        0x0020:  a002 ffff ae8e 0000 0204 05b4 0103 0303  ................
        0x0030:  0402 080a 24a8 28e7 0000 0000            ....$.(.....
21:33:47.406241 IP 192.168.0.1.443 > 192.168.0.2.19781: Flags [S.], seq 2941630688, ack 888227561, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 1507288258 ecr 615000295], length 0
        0x0000:  4500 003c abfe 4000 4006 0c71 c0a8 00fb  E..<.. at .@..q....
        0x0010:  c0a8 0001 007b 4d45 af55 b8e0 34f1 46e9  .....{ME.U..4.F.
        0x0020:  a012 ffff 827b 0000 0204 05b4 0103 0303  .....{..........
        0x0030:  0402 080a 59d7 64c2 24a8 28e7            ....Y.d.$.(.
21:33:47.406314 IP 192.168.0.2.19781 > 192.168.0.1.443: Flags [.], ack 1, win 8326, options [nop,nop,TS val 615000295 ecr 1507288258], length 0
        0x0000:  4500 0034 b31c 4000 4006 055b c0a8 0001  E..4.. at .@..[....
        0x0010:  c0a8 00fb 4d45 007b 34f1 46e9 af55 b8e1  ....ME.{4.F..U..
        0x0020:  8010 2086 95ef 0000 0101 080a 24a8 28e7  ............$.(.
        0x0030:  59d7 64c2                                Y.d.
21:33:57.323369 IP 192.168.0.1.443 > 192.168.0.2.19781: Flags [F.], seq 1, ack 1, win 8326, options [nop,nop,TS val 1507298259 ecr 615000295], length 0
        0x0000:  4500 0034 ac21 4000 4006 0c56 c0a8 00fb  E..4.!@. at ..V....
        0x0010:  c0a8 0001 007b 4d45 af55 b8e1 34f1 46e9  .....{ME.U..4.F.
        0x0020:  8011 2086 8273 0000 0101 080a 59d7 8bd3  .....s......Y...
        0x0030:  24a8 28e7                                $.(.
21:33:57.323425 IP 192.168.0.2.19781 > 192.168.0.1.443: Flags [.], ack 2, win 8326, options [nop,nop,TS val 615010212 ecr 1507298259], length 0
        0x0000:  4500 0034 b494 4000 4006 03e3 c0a8 0001  E..4.. at .@.......
        0x0010:  c0a8 00fb 4d45 007b 34f1 46e9 af55 b8e2  ....ME.{4.F..U..
        0x0020:  8010 2086 4820 0000 0101 080a 24a8 4fa4  ....H.......$.O.
        0x0030:  59d7 8bd3                                Y...
21:33:57.323511 IP 192.168.0.2.19781 > 192.168.0.1.443: Flags [F.], seq 1, ack 2, win 8326, options [nop,nop,TS val 615010212 ecr 1507298259], length 0
        0x0000:  4500 0034 b495 4000 4006 03e2 c0a8 0001  E..4.. at .@.......
        0x0010:  c0a8 00fb 4d45 007b 34f1 46e9 af55 b8e2  ....ME.{4.F..U..
        0x0020:  8011 2086 481f 0000 0101 080a 24a8 4fa4  ....H.......$.O.
        0x0030:  59d7 8bd3                                Y...
21:33:57.323529 IP 192.168.0.1.443 > 192.168.0.2.19781: Flags [.], ack 2, win 8325, options [nop,nop,TS val 1507298259 ecr 615010212], length 0
        0x0000:  4500 0034 ac22 4000 4006 0c55 c0a8 00fb  E..4."@. at ..U....
        0x0010:  c0a8 0001 007b 4d45 af55 b8e2 34f1 46ea  .....{ME.U..4.F.
        0x0020:  8010 2085 8273 0000 0101 080a 59d7 8bd3  .....s......Y...
        0x0030:  24a8 4fa4                                $.O.

There are FreebBSD 8.2 on both sides and I've used sslh 1.9 and 1.10-rc1 and tinc versions 1.1pre2, 1.0.16, 1.0.15. Result is the same that not client ID sent.


Also some issue with 1.1pre2. It works with -D -d5 but exits if no debug:

Nov 12 17:27:11 server tinc[45914]: tincd 1.1pre2 (Nov 12 2011 17:26:59) starting, debug level 0
Nov 12 17:27:11 server kernel: tap0: link state changed to UP
Nov 12 17:27:11 server tinc[45914]: Ready
Nov 12 17:27:11 server tinc[45914]: Error while waiting for input: Bad file descriptor
Nov 12 17:27:11 server tinc[45914]: Terminating
Nov 12 17:27:11 server kernel: tap0: link state changed to DOWN

The same with tun and tap devices.

Versions 1.0.15 and 1.0.16 works fine without debug.

Thank You.


More information about the tinc mailing list