3 TC: A Tor control protocol (Version 1)
7 This document describes an implementation-specific protocol that is used
8 for other programs (such as frontend user-interfaces) to communicate with a
9 locally running Tor process. It is not part of the Tor onion routing
12 This protocol replaces version 0 of TC, which is now deprecated. For
13 reference, TC is described in "control-spec-v0.txt". Implementors are
14 recommended to avoid using TC directly, but instead to use a library that
15 can easily be updated to use the newer protocol. (Version 0 is used by Tor
16 versions 0.1.0.x; the protocol in this document only works with Tor
17 versions in the 0.1.1.x series and later.)
21 TC is a bidirectional message-based protocol. It assumes an underlying
22 stream for communication between a controlling process (the "client"
23 or "controller") and a Tor process (or "server"). The stream may be
24 implemented via TCP, TLS-over-TCP, a Unix-domain socket, or so on,
25 but it must provide reliable in-order delivery. For security, the
26 stream should not be accessible by untrusted parties.
28 In TC, the client and server send typed messages to each other over the
29 underlying stream. The client sends "commands" and the server sends
32 By default, all messages from the server are in response to messages from
33 the client. Some client requests, however, will cause the server to send
34 messages to the client indefinitely far into the future. Such
35 "asynchronous" replies are marked as such.
37 Servers respond to messages in the order messages are received.
41 2.1. Description format
43 The message formats listed below use ABNF as described in RFC 2234.
44 The protocol itself is loosely based on SMTP (see RFC 2821).
46 We use the following nonterminals from RFC 2822: atom, qcontent
48 We define the following general-use nonterminals:
50 String = DQUOTE *qcontent DQUOTE
52 There are explicitly no limits on line length. All 8-bit characters are
53 permitted unless explicitly disallowed.
55 2.2. Commands from controller to Tor
57 Command = Keyword Arguments CRLF / "+" Keyword Arguments CRLF Data
59 Arguments = *(SP / VCHAR)
61 Specific commands and their arguments are described below in section 3.
63 2.3. Replies from Tor to the controller
65 Reply = *(MidReplyLine / DataReplyLine) EndReplyLine
67 MidReplyLine = "-" ReplyLine
68 DataReplyLine = "+" ReplyLine Data
69 EndReplyLine = SP ReplyLine
70 ReplyLine = StatusCode [ SP ReplyText ] CRLF
74 Specific replies are mentioned below in section 3, and described more fully
77 2.4. General-use tokens
79 ; Identifiers for servers.
80 ServerID = Nickname / Fingerprint
82 Nickname = 1*19 NicknameChar
83 NicknameChar = "a"-"z" / "A"-"Z" / "0" - "9"
84 Fingerprint = "$" 40*HEXDIG
86 ; A "=" indicates that the given nickname is canonical; a "~" indicates
87 ; that the given nickname is not canonical.
88 LongName = Fingerprint [ ( "=" / "~" ) Nickname ]
90 ; How a controller tells Tor about a particular OR. There are four
92 ; $Digest -- The router whose identity key hashes to the given digest.
93 ; This is the preferred way to refer to an OR.
94 ; $Digest~Name -- The router whose identity key hashes to the given
95 ; digest, but only if the router has the given nickname.
96 ; $Digest=Name -- The router whose identity key hashes to the given
97 ; digest, but only if the router is Named and has the given
99 ; Name -- The Named router with the given nickname, or, if no such
100 ; router exists, any router whose nickname matches the one given.
101 ; This is not a safe way to refer to routers, since Named status
102 ; could under some circumstances change over time.
103 ServerSpec = LongName / Nickname
105 ; Unique identifiers for streams or circuits. Currently, Tor only
106 ; uses digits, but this may change
107 StreamID = 1*16 IDChar
108 CircuitID = 1*16 IDChar
109 IDChar = ALPHA / DIGIT
111 Address = ip4-address / ip6-address / hostname (XXXX Define these)
113 ; A "Data" section is a sequence of octets concluded by the terminating
114 ; sequence CRLF "." CRLF. The terminating sequence may not appear in the
115 ; body of the data. Leading periods on lines in the data are escaped with
116 ; an additional leading period as in RFC 2821 section 4.5.2.
117 Data = *DataLine "." CRLF
118 DataLine = CRLF / "." 1*LineItem CRLF / NonDotItem *LineItem CRLF
119 LineItem = NonCR / 1*CR NonCRLF
120 NonDotItem = NonDotCR / 1*CR NonCRLF
124 All commands and other keywords are case-insensitive.
128 Change the value of one or more configuration variables. The syntax is:
130 "SETCONF" 1*(SP keyword ["=" String]) CRLF
132 Tor behaves as though it had just read each of the key-value pairs
133 from its configuration file. Keywords with no corresponding values have
134 their configuration values reset to 0 or NULL (use RESETCONF if you want
135 to set it back to its default). SETCONF is all-or-nothing: if there
136 is an error in any of the configuration settings, Tor sets none of them.
138 Tor responds with a "250 configuration values set" reply on success.
139 If some of the listed keywords can't be found, Tor replies with a
140 "552 Unrecognized option" message. Otherwise, Tor responds with a
141 "513 syntax error in configuration values" reply on syntax error, or a
142 "553 impossible configuration setting" reply on a semantic error.
144 When a configuration option takes multiple values, or when multiple
145 configuration keys form a context-sensitive group (see GETCONF below), then
146 setting _any_ of the options in a SETCONF command is taken to reset all of
147 the others. For example, if two ORBindAddress values are configured, and a
148 SETCONF command arrives containing a single ORBindAddress value, the new
149 command's value replaces the two old values.
153 Remove all settings for a given configuration option entirely, assign
154 its default value (if any), and then assign the String provided.
155 Typically the String is left empty, to simply set an option back to
156 its default. The syntax is:
158 "RESETCONF" 1*(SP keyword ["=" String]) CRLF
160 Otherwise it behaves like SETCONF above.
164 Request the value of a configuration variable. The syntax is:
166 "GETCONF" 1*(SP keyword) CRLF
168 If all of the listed keywords exist in the Tor configuration, Tor replies
169 with a series of reply lines of the form:
171 If any option is set to a 'default' value semantically different from an
172 empty string, Tor may reply with a reply line of the form:
175 If some of the listed keywords can't be found, Tor replies with a
176 "552 unknown configuration keyword" message.
178 If an option appears multiple times in the configuration, all of its
179 key-value pairs are returned in order.
181 Some options are context-sensitive, and depend on other options with
182 different keywords. These cannot be fetched directly. Currently there
183 is only one such option: clients should use the "HiddenServiceOptions"
184 virtual keyword to get all HiddenServiceDir, HiddenServicePort,
185 HiddenServiceNodes, and HiddenServiceExcludeNodes option settings.
189 Request the server to inform the client about interesting events. The
192 "SETEVENTS" [SP "EXTENDED"] *(SP EventCode) CRLF
194 EventCode = "CIRC" / "STREAM" / "ORCONN" / "BW" / "DEBUG" /
195 "INFO" / "NOTICE" / "WARN" / "ERR" / "NEWDESC" / "ADDRMAP" /
196 "AUTHDIR_NEWDESCS" / "DESCCHANGED" / "STATUS_GENERAL" /
197 "STATUS_CLIENT" / "STATUS_SERVER" / "GUARDS" / "NS" / "STREAM_BW"
199 Any events *not* listed in the SETEVENTS line are turned off; thus, sending
200 SETEVENTS with an empty body turns off all event reporting.
202 The server responds with a "250 OK" reply on success, and a "552
203 Unrecognized event" reply if one of the event codes isn't recognized. (On
204 error, the list of active event codes isn't changed.)
206 If the flag string "EXTENDED" is provided, Tor may provide extra
207 information with events for this connection; see 4.1 for more information.
208 NOTE: All events on a given connection will be provided in extended format,
210 NOTE: "EXTENDED" is only supported in Tor 0.1.1.9-alpha or later.
212 Each event is described in more detail in Section 4.1.
216 Sent from the client to the server. The syntax is:
217 "AUTHENTICATE" [ SP 1*HEXDIG / QuotedString ] CRLF
219 The server responds with "250 OK" on success or "515 Bad authentication" if
220 the authentication cookie is incorrect.
222 The format of the 'cookie' is implementation-dependent; see 5.1 below for
223 information on how the standard Tor implementation handles it.
225 If Tor requires authentication and the controller has not yet sent an
226 AUTHENTICATE message, Tor sends a "514 authentication required" reply to
227 any other kind of message.
231 Sent from the client to the server. The syntax is:
234 Instructs the server to write out its config options into its torrc. Server
235 returns "250 OK" if successful, or "551 Unable to write configuration
236 to disk" if it can't write the file or some other error occurs.
240 Sent from the client to the server. The syntax is:
242 "SIGNAL" SP Signal CRLF
244 Signal = "RELOAD" / "SHUTDOWN" / "DUMP" / "DEBUG" / "HALT" /
245 "HUP" / "INT" / "USR1" / "USR2" / "TERM" / "NEWNYM" /
248 The meaning of the signals are:
250 RELOAD -- Reload: reload config items, refetch directory. (like HUP)
251 SHUTDOWN -- Controlled shutdown: if server is an OP, exit immediately.
252 If it's an OR, close listeners and exit after 30 seconds.
254 DUMP -- Dump stats: log information about open connections and
255 circuits. (like USR1)
256 DEBUG -- Debug: switch all open logs to loglevel debug. (like USR2)
257 HALT -- Immediate shutdown: clean up and exit now. (like TERM)
258 CLEARDNSCACHE -- Forget the client-side cached IPs for all hostnames.
259 NEWNYM -- Switch to clean circuits, so new application requests
260 don't share any circuits with old ones. Also clears
261 the client-side DNS cache. (Tor MAY rate-limit its
262 response to this signal.)
264 The server responds with "250 OK" if the signal is recognized (or simply
265 closes the socket if it was asked to close immediately), or "552
266 Unrecognized signal" if the signal is unrecognized.
270 Sent from the client to the server. The syntax is:
272 "MAPADDRESS" 1*(Address "=" Address SP) CRLF
274 The first address in each pair is an "original" address; the second is a
275 "replacement" address. The client sends this message to the server in
276 order to tell it that future SOCKS requests for connections to the original
277 address should be replaced with connections to the specified replacement
278 address. If the addresses are well-formed, and the server is able to
279 fulfill the request, the server replies with a 250 message:
280 250-OldAddress1=NewAddress1
281 250 OldAddress2=NewAddress2
283 containing the source and destination addresses. If request is
284 malformed, the server replies with "512 syntax error in command
285 argument". If the server can't fulfill the request, it replies with
286 "451 resource exhausted".
288 The client may decline to provide a body for the original address, and
289 instead send a special null address ("0.0.0.0" for IPv4, "::0" for IPv6, or
290 "." for hostname), signifying that the server should choose the original
291 address itself, and return that address in the reply. The server
292 should ensure that it returns an element of address space that is unlikely
293 to be in actual use. If there is already an address mapped to the
294 destination address, the server may reuse that mapping.
296 If the original address is already mapped to a different address, the old
297 mapping is removed. If the original address and the destination address
298 are the same, the server removes any mapping in place for the original
302 C: MAPADDRESS 0.0.0.0=tor.eff.org 1.2.3.4=tor.freehaven.net
303 S: 250-127.192.10.10=tor.eff.org
304 S: 250 1.2.3.4=tor.freehaven.net
306 {Note: This feature is designed to be used to help Tor-ify applications
307 that need to use SOCKS4 or hostname-less SOCKS5. There are three
308 approaches to doing this:
309 1. Somehow make them use SOCKS4a or SOCKS5-with-hostnames instead.
310 2. Use tor-resolve (or another interface to Tor's resolve-over-SOCKS
311 feature) to resolve the hostname remotely. This doesn't work
312 with special addresses like x.onion or x.y.exit.
313 3. Use MAPADDRESS to map an IP address to the desired hostname, and then
314 arrange to fool the application into thinking that the hostname
315 has resolved to that IP.
316 This functionality is designed to help implement the 3rd approach.}
318 Mappings set by the controller last until the Tor process exits:
319 they never expire. If the controller wants the mapping to last only
320 a certain time, then it must explicitly un-map the address when that
325 Sent from the client to the server. The syntax is as for GETCONF:
326 "GETINFO" 1*(SP keyword) CRLF
327 one or more NL-terminated strings. The server replies with an INFOVALUE
328 message, or a 551 or 552 error.
330 Unlike GETCONF, this message is used for data that are not stored in the Tor
331 configuration file, and that may be longer than a single line. On success,
332 one ReplyLine is sent for each requested value, followed by a final 250 OK
333 ReplyLine. If a value fits on a single line, the format is:
335 If a value must be split over multiple lines, the format is:
339 Recognized keys and their values include:
341 "version" -- The version of the server's software, including the name
342 of the software. (example: "Tor 0.0.9.4")
344 "config-file" -- The location of Tor's configuration file ("torrc").
346 ["exit-policy/prepend" -- The default exit policy lines that Tor will
347 *prepend* to the ExitPolicy config option.
348 -- Never implemented. Useful?]
350 "exit-policy/default" -- The default exit policy lines that Tor will
351 *append* to the ExitPolicy config option.
353 "desc/id/<OR identity>" or "desc/name/<OR nickname>" -- the latest
354 server descriptor for a given OR, NUL-terminated.
356 "ns/id/<OR identity>" or "ns/name/<OR nickname>" -- the latest network
357 status info for a given OR. Network status info is as given in
358 dir-spec.txt, and reflects the current beliefs of this Tor about the
359 router in question. Like directory clients, controllers MUST
360 tolerate unrecognized flags and lines. The published date and
361 descriptor digest are those believed to be best by this Tor,
362 not necessarily those for a descriptor that Tor currently has.
363 [First implemented in 0.1.2.3-alpha.]
365 "ns/all" -- Network status info for all ORs we have an opinion about,
366 joined by newlines. [First implemented in 0.1.2.3-alpha.]
368 "desc/all-recent" -- the latest server descriptor for every router that
371 "network-status" -- a space-separated list of all known OR identities.
372 This is in the same format as the router-status line in directories;
373 see dir-spec-v1.txt section 3 for details. (If VERBOSE_NAMES is
374 enabled, the output will not conform to dir-spec-v1.txt; instead, the
375 result will be a space-separated list of LongName, each preceded by a
376 "!" if it is believed to be not running.)
379 "addr-mappings/config"
380 "addr-mappings/cache"
381 "addr-mappings/control" -- a space-separated list of address
382 mappings, each in the form of "from-address=to-address".
383 The 'config' key returns those address mappings set in the
384 configuration; the 'cache' key returns the mappings in the
385 client-side DNS cache; the 'control' key returns the mappings set
386 via the control interface; the 'all' target returns the mappings
387 set through any mechanism.
389 "address" -- the best guess at our external IP address. If we
390 have no guess, return a 551 error. (Added in 0.1.2.2-alpha)
392 "fingerprint" -- the contents of the fingerprint file that Tor
393 writes as a server, or a 551 if we're not a server currently.
394 (Added in 0.1.2.3-alpha)
397 A series of lines as for a circuit status event. Each line is of
399 CircuitID SP CircStatus [SP Path] CRLF
402 A series of lines as for a stream status event. Each is of the form:
403 StreamID SP StreamStatus SP CircID SP Target CRLF
406 A series of lines as for an OR connection status event. Each is of the
408 ServerID SP ORStatus CRLF
411 A series of lines listing the currently chosen entry guards, if any.
413 ServerID SP (Status-with-time / Status) CRLF
415 Status-with-time = ("down" / "unlisted") SP ISOTime
416 Status = ("up" / "never-connected")
418 [From 0.1.1.4-alpha to 0.1.1.10-alpha, this was called "helper-nodes".
419 Tor still supports calling it that for now, but support will be
423 "accounting/hibernating"
425 "accounting/bytes-left"
426 "accounting/interval-start"
427 "accounting/interval-wake"
428 "accounting/interval-end"
429 Information about accounting status. If accounting is enabled,
430 "enabled" is 1; otherwise it is 0. The "hibernating" field is "hard"
431 if we are accepting no data; "soft" if we're accepting no new
432 connections, and "awake" if we're not hibernating at all. The "bytes"
433 and "bytes-left" fields contain (read-bytes SP write-bytes), for the
434 start and the rest of the interval respectively. The 'interval-start'
435 and 'interval-end' fields are the borders of the current interval; the
436 'interval-wake' field is the time within the current interval (if any)
437 where we plan[ned] to start being active.
440 A series of lines listing the available configuration options. Each is
442 OptionName SP OptionType [ SP Documentation ] CRLF
444 OptionType = "Integer" / "TimeInterval" / "DataSize" / "Float" /
445 "Boolean" / "Time" / "CommaList" / "Dependant" / "Virtual" /
446 "String" / "LineList"
450 A series of lines listing the available GETINFO options. Each is of
452 OptionName SP Documentation CRLF
453 OptionPrefix SP Documentation CRLF
454 OptionPrefix = OptionName "/*"
457 A space-separated list of all the events supported by this version of
461 A space-separated list of all the events supported by this version of
464 "next-circuit/IP:port"
467 "dir/status/authority"
469 "dir/status/fp/<F1>+<F2>+<F3>"
472 "dir/server/fp/<F1>+<F2>+<F3>"
474 "dir/server/d/<D1>+<D2>+<D3>"
475 "dir/server/authority"
477 A series of lines listing directory contents, provided according to the
478 specification for the URLs listed in Section 4.4 of dir-spec.txt. Note
479 that Tor MUST NOT provide private information, such as descriptors for
480 routers not marked as general-purpose. When asked for 'authority'
481 information for which this Tor is not authoritative, Tor replies with
484 "status/circuit-established"
486 These provide the current internal Tor values for various Tor
487 states. See Section 4.1.10 for explanations. (Only a few of the
488 status events are available as getinfo's currently. Let us know if
489 you want more exposed.)
492 C: GETINFO version desc/name/moria1
493 S: 250+desc/name/moria=
494 S: [Descriptor for moria]
496 S: 250-version=Tor 0.1.1.0-alpha-cvs
501 Sent from the client to the server. The format is:
502 "EXTENDCIRCUIT" SP CircuitID SP
503 ServerSpec *("," ServerSpec) SP
504 ("purpose=" Purpose) CRLF
506 This request takes one of two forms: either the CircuitID is zero, in
507 which case it is a request for the server to build a new circuit according
508 to the specified path, or the CircuitID is nonzero, in which case it is a
509 request for the server to extend an existing circuit with that ID according
510 to the specified path.
512 If CircuitID is 0 and "purpose=" is specified, then the circuit's
513 purpose is set. Two choices are recognized: "general" and
514 "controller". If not specified, circuits are created as "general".
516 If the request is successful, the server sends a reply containing a
517 message body consisting of the CircuitID of the (maybe newly created)
518 circuit. The syntax is "250" SP "EXTENDED" SP CircuitID CRLF.
520 3.11. SETCIRCUITPURPOSE
522 Sent from the client to the server. The format is:
523 "SETCIRCUITPURPOSE" SP CircuitID SP Purpose CRLF
525 This changes the circuit's purpose. See EXTENDCIRCUIT above for details.
527 3.12. SETROUTERPURPOSE
529 Sent from the client to the server. The format is:
530 "SETROUTERPURPOSE" SP NicknameOrKey SP Purpose CRLF
532 This changes the descriptor's purpose. See +POSTDESCRIPTOR below
537 Sent from the client to the server. The syntax is:
538 "ATTACHSTREAM" SP StreamID SP CircuitID CRLF
540 This message informs the server that the specified stream should be
541 associated with the specified circuit. Each stream may be associated with
542 at most one circuit, and multiple streams may share the same circuit.
543 Streams can only be attached to completed circuits (that is, circuits that
544 have sent a circuit status 'BUILT' event or are listed as built in a
545 GETINFO circuit-status request).
547 If the circuit ID is 0, responsibility for attaching the given stream is
550 Tor responds with "250 OK" if it can attach the stream, 552 if the circuit
551 or stream didn't exist, or 551 if the stream couldn't be attached for
554 {Implementation note: Tor will close unattached streams by itself,
555 roughly two minutes after they are born. Let the developers know if
556 that turns out to be a problem.}
558 {Implementation note: By default, Tor automatically attaches streams to
559 circuits itself, unless the configuration variable
560 "__LeaveStreamsUnattached" is set to "1". Attempting to attach streams
561 via TC when "__LeaveStreamsUnattached" is false may cause a race between
562 Tor and the controller, as both attempt to attach streams to circuits.}
564 {Implementation note: You can try to attachstream to a stream that
565 has already sent a connect or resolve request but hasn't succeeded
566 yet, in which case Tor will detach the stream from its current circuit
567 before proceeding with the new attach request.}
571 Sent from the client to the server. The syntax is:
572 "+POSTDESCRIPTOR" ("purpose=" Purpose) CRLF Descriptor CRLF "." CRLF
574 This message informs the server about a new descriptor. If Purpose is
575 specified, it must be either "general" or "controller", else we
578 The descriptor, when parsed, must contain a number of well-specified
579 fields, including fields for its nickname and identity.
581 If there is an error in parsing the descriptor, the server must send a "554
582 Invalid descriptor" reply. If the descriptor is well-formed but the server
583 chooses not to add it, it must reply with a 251 message whose body explains
584 why the server was not added. If the descriptor is added, Tor replies with
589 Sent from the client to the server. The syntax is:
590 "REDIRECTSTREAM" SP StreamID SP Address (SP Port) CRLF
592 Tells the server to change the exit address on the specified stream. If
593 Port is specified, changes the destination port as well. No remapping
594 is performed on the new provided address.
596 To be sure that the modified address will be used, this event must be sent
597 after a new stream event is received, and before attaching this stream to
600 Tor replies with "250 OK" on success.
604 Sent from the client to the server. The syntax is:
606 "CLOSESTREAM" SP StreamID SP Reason *(SP Flag) CRLF
608 Tells the server to close the specified stream. The reason should be one
609 of the Tor RELAY_END reasons given in tor-spec.txt, as a decimal. Flags is
610 not used currently; Tor servers SHOULD ignore unrecognized flags. Tor may
611 hold the stream open for a while to flush any data that is pending.
613 Tor replies with "250 OK" on success, or a 512 if there aren't enough
614 arguments, or a 552 if it doesn't recognize the StreamID or reason.
619 CLOSECIRCUIT SP CircuitID *(SP Flag) CRLF
622 Tells the server to close the specified circuit. If "IfUnused" is
623 provided, do not close the circuit unless it is unused.
625 Other flags may be defined in the future; Tor SHOULD ignore unrecognized
628 Tor replies with "250 OK" on success, or a 512 if there aren't enough
629 arguments, or a 552 if it doesn't recognize the CircuitID.
633 Tells the server to hang up on this controller connection. This command
634 can be used before authenticating.
640 "USEFEATURE" *(SP FeatureName) CRLF
641 FeatureName = 1*(ALPHA / DIGIT / "_" / "-")
643 Sometimes extensions to the controller protocol break compatibility with
644 older controllers. In this case, whenever possible, the extensions are
645 first included in Tor disabled by default, and only enabled on a given
646 controller connection when the "USEFEATURE" command is given. Once a
647 "USEFEATURE" command is given, it applies to all subsequent interactions on
648 the same connection; to disable an enabled feature, a new controller
649 connection must be opened.
651 This is a forward-compatibility mechanism; each feature will eventually
652 become a regular part of the control protocol in some future version of Tor.
653 Tor will ignore a request to use any feature that is already on by default.
654 Tor will give a "552" error if any requested feature is not recognized.
656 Feature names are case-insensitive.
660 Same as passing 'EXTENDED' to SETEVENTS; this is the preferred way to
661 request the extended event syntax.
663 This will not be always-enabled until at least XXX (or, at least two
664 stable releases after XXX, the release where it was first used for
669 Instead of ServerID as specified above, the controller should
670 identify ORs by LongName in events and GETINFO results. This format is
671 strictly more informative: rather than including Nickname for
672 known Named routers and Fingerprint for unknown or unNamed routers, the
673 LongName format includes a Fingerprint, an indication of Named status,
674 and a Nickname (if one is known).
676 This will not be always-enabled until at least 0.1.4.x (or at least two
677 stable releases after 0.1.2.2-alpha, the release where it was first
682 Reply codes follow the same 3-character format as used by SMTP, with the
683 first character defining a status, the second character defining a
684 subsystem, and the third designating fine-grained information.
686 The TC protocol currently uses the following first characters:
688 2yz Positive Completion Reply
689 The command was successful; a new request can be started.
691 4yz Temporary Negative Completion reply
692 The command was unsuccessful but might be reattempted later.
694 5yz Permanent Negative Completion Reply
695 The command was unsuccessful; the client should not try exactly
696 that sequence of commands again.
698 6yz Asynchronous Reply
699 Sent out-of-order in response to an earlier SETEVENTS command.
701 The following second characters are used:
704 Sent in response to ill-formed or nonsensical commands.
707 Refers to operations of the Tor Control protocol.
710 Refers to actual operations of Tor system.
712 The following codes are defined:
715 251 Operation was unnecessary
716 [Tor has declined to perform the operation, but no harm was done.]
718 451 Resource exhausted
720 500 Syntax error: protocol
722 510 Unrecognized command
723 511 Unimplemented command
724 512 Syntax error in command argument
725 513 Unrecognized command argument
726 514 Authentication required
727 515 Bad authentication
729 550 Unspecified Tor error
732 [Something went wrong inside Tor, so that the client's
733 request couldn't be fulfilled.]
735 552 Unrecognized entity
736 [A configuration key, a stream ID, circuit ID, event,
737 mentioned in the command did not actually exist.]
739 553 Invalid configuration value
740 [The client tried to set a configuration option to an
741 incorrect, ill-formed, or impossible value.]
743 554 Invalid descriptor
747 650 Asynchronous event notification
749 Unless specified to have specific contents, the human-readable messages
750 in error replies should not be relied upon to match those in this document.
752 4.1. Asynchronous events
754 These replies can be sent after a corresponding SETEVENTS command has been
755 received. They will not be interleaved with other Reply elements, but they
756 can appear between a command and its corresponding reply. For example,
757 this sequence is possible:
761 C: GETCONF SOCKSPORT ORPORT
762 S: 650 CIRC 1000 EXTENDED moria1,moria2
763 S: 250-SOCKSPORT=9050
766 But this sequence is disallowed:
769 C: GETCONF SOCKSPORT ORPORT
770 S: 250-SOCKSPORT=9050
771 S: 650 CIRC 1000 EXTENDED moria1,moria2
774 Clients MUST tolerate more arguments in an asynchonous reply than
775 expected, and MUST tolerate more lines in an asynchronous reply than
776 expected. For instance, a client that expects a CIRC message like:
777 650 CIRC 1000 EXTENDED moria1,moria2
779 650-CIRC 1000 EXTENDED moria1,moria2 0xBEEF
783 If clients ask for extended events, then each event line as specified below
784 will be followed by additional extensions. Additional lines will be of the
786 "650" ("-"/" ") KEYWORD ["=" ARGUMENTS] CRLF
787 Additional arguments will be of the form
788 SP KEYWORD ["=" ( QuotedString / * NonSpDquote ) ]
789 Such clients MUST tolerate lines with keywords they do not recognize.
791 4.1.1. Circuit status changed
795 "650" SP "CIRC" SP CircuitID SP CircStatus [SP Path]
796 [SP "REASON=" Reason [SP "REMOTE_REASON=" Reason]] CRLF
799 "LAUNCHED" / ; circuit ID assigned to new circuit
800 "BUILT" / ; all hops finished, can now accept streams
801 "EXTENDED" / ; one more hop has been completed
802 "FAILED" / ; circuit closed (was not built)
803 "CLOSED" ; circuit closed (was built)
805 Path = ServerID *("," ServerID)
807 Reason = "NONE" / "TORPROTOCOL" / "INTERNAL" / "REQUESTED" /
808 "HIBERNATING" / "RESOURCELIMIT" / "CONNECTFAILED" /
809 "OR_IDENTITY" / "OR_CONN_CLOSED" / "TIMEOUT" /
810 "FINISHED" / "DESTROYED" / "NOPATH" / "NOSUCHSERVICE"
812 The path is provided only when the circuit has been extended at least one
815 The "REASON" field is provided only for FAILED and CLOSED events, and only
816 if extended events are enabled (see 3.19). Clients MUST accept reasons
817 not listed above. Reasons are as given in tor-spec.txt, except for:
819 NOPATH (Not enough nodes to make circuit)
821 The "REMOTE_REASON" field is provided only when we receive a DESTROY or
822 TRUNCATE cell, and only if extended events are enabled. It contains the
823 actual reason given by the remote OR for closing the circuit. Clients MUST
824 accept reasons not listed above. Reasons are as listed in tor-spec.txt.
826 4.1.2. Stream status changed
830 "650" SP "STREAM" SP StreamID SP StreamStatus SP CircID SP Target
831 [SP "REASON=" Reason [ SP "REMOTE_REASON=" Reason ]]
832 [SP "SOURCE=" Source] CRLF
835 "NEW" / ; New request to connect
836 "NEWRESOLVE" / ; New request to resolve an address
837 "REMAP" / ; Address re-mapped to another
838 "SENTCONNECT" / ; Sent a connect cell along a circuit
839 "SENTRESOLVE" / ; Sent a resolve cell along a circuit
840 "SUCCEEDED" / ; Received a reply; stream established
841 "FAILED" / ; Stream failed and not retriable
842 "CLOSED" / ; Stream closed
843 "DETACHED" ; Detached from circuit; still retriable
845 Target = Address ":" Port
847 The circuit ID designates which circuit this stream is attached to. If
848 the stream is unattached, the circuit ID "0" is given.
850 Reason = "MISC" / "RESOLVEFAILED" / "CONNECTREFUSED" /
851 "EXITPOLICY" / "DESTROY" / "DONE" / "TIMEOUT" /
852 "HIBERNATING" / "INTERNAL"/ "RESOURCELIMIT" /
853 "CONNRESET" / "TORPROTOCOL" / "NOTDIRECTORY" / "END"
855 The "REASON" field is provided only for FAILED, CLOSED, and DETACHED
856 events, and only if extended events are enabled (see 3.19). Clients MUST
857 accept reasons not listed above. Reasons are as given in tor-spec.txt,
860 END (We received a RELAY_END cell from the other side of thise
862 [XXXX document more.]
864 The "REMOTE_REASON" field is provided only when we receive a RELAY_END
865 cell, and only if extended events are enabled. It contains the actual
866 reason given by the remote OR for closing the stream. Clients MUST accept
867 reasons not listed above. Reasons are as listed in tor-spec.txt.
869 "REMAP" events include a Source if extended events are enabled:
870 Source = "CACHE" / "EXIT"
871 Clients MUST accept sources not listed above. "CACHE" is given if
872 the Tor client decided to remap the address because of a cached
873 answer, and "EXIT" is given if the remote node we queried gave us
874 the new address as a response.
876 4.1.3. OR Connection status changed
879 "650" SP "ORCONN" SP (ServerID / Target) SP ORStatus [ SP "REASON="
880 Reason ] [ SP "NCIRCS=" NumCircuits ]
882 ORStatus = "NEW" / "LAUNCHED" / "CONNECTED" / "FAILED" / "CLOSED"
884 NEW is for incoming connections, and LAUNCHED is for outgoing
885 connections. CONNECTED means the TLS handshake has finished (in
886 either direction). FAILED means a connection is being closed that
887 hasn't finished its handshake, and CLOSED is for connections that
890 A ServerID is specified unless it's a NEW connection, in which
891 case we don't know what server it is yet, so we use Address:Port.
893 If extended events are enabled (see 3.19), optional reason and
894 circuit counting information is provided for CLOSED and FAILED
897 Reason = "MISC" / "DONE" / "CONNECTREFUSED" /
898 "IDENTITY" / "CONNECTRESET" / "TIMEOUT" / "NOROUTE" /
901 NumCircuits counts both established and pending circuits.
904 4.1.4. Bandwidth used in the last second
907 "650" SP "BW" SP BytesRead SP BytesWritten *(SP Type "=" Num)
909 BytesWritten = 1*DIGIT
910 Type = "DIR" / "OR" / "EXIT" / "APP" / ...
913 BytesRead and BytesWritten are the totals. In Tor 0.1.x.y-alpha
914 and later, we also include a breakdown of the connection types
915 that used bandwidth this second (not implemented yet).
920 "650" SP Severity SP ReplyText
922 "650+" Severity CRLF Data
924 Severity = "DEBUG" / "INFO" / "NOTICE" / "WARN"/ "ERR"
926 4.1.6. New descriptors available
929 "650" SP "NEWDESC" 1*(SP ServerID)
931 4.1.7. New Address mapping
934 "650" SP "ADDRMAP" SP Address SP Address SP Expiry
935 Expiry = DQUOTE ISOTime DQUOTE / "NEVER"
937 Expiry is expressed as the local time (rather than GMT).
939 [XXX We should rename this to ADDRESSMAP. -RD]
940 [Why? Surely it can't be worth the compatibility issues. -NM]
942 4.1.8. Descriptors uploaded to us in our role as authoritative dirserver
945 "650" "+" "AUTHDIR_NEWDESCS" CRLF Action CRLF Message CRLF
946 Descriptor CRLF "." CRLF
947 Action = "ACCEPTED" / "DROPPED" / "REJECTED"
950 4.1.9. Our descriptor changed
953 "650" SP "DESCCHANGED"
955 [First added in 0.1.2.2-alpha.]
957 4.1.10. Status events
959 Status events (STATUS_GENERAL, STATUS_CLIENT, and STATUS_SERVER) are sent
960 based on occurrences in the Tor process pertaining to the general state of
961 the program. Generally, they correspond to log messages of severity Notice
962 or higher. They differ from log messages in that their format is a
966 "650" SP StatusType SP StatusSeverity SP StatusAction
967 [SP StatusArguments] CRLF
969 StatusType = "STATUS_GENERAL" / "STATUS_CLIENT" / "STATUS_SERVER"
970 StatusSeverity = "NOTICE" / "WARN" / "ERR"
971 StatusAction = 1*ALPHA
972 StatusArguments = StatusArgument *(SP StatusArgument)
973 StatusArgument = StatusKeyword '=' StatusValue
974 StatusKeyword = 1*(ALNUM / "_")
975 StatusValue = 1*(ALNUM / '_') / QuotedString
977 Action is a string, and Arguments is a series of keyword=value
978 pairs on the same line. Values may be space-terminated strings,
981 These events are always produced with EXTENDED_EVENTS and
982 VERBOSE_NAMES; see the explanations in the USEFEATURE section
985 Controllers MUST tolerate unrecognized actions, MUST tolerate
986 unrecognized arguments, MUST tolerate missing arguments, and MUST
987 tolerate arguments that arrive in any order.
989 Each event description below is accompanied by a recommendation for
990 controllers. These recommendations are suggestions only; no controller
991 is required to implement them.
993 Actions for STATUS_GENERAL events can be as follows:
997 Tor spent enough time without CPU cycles that it has closed all
998 its circuits and will establish them anew. This typically
999 happens when a laptop goes to sleep and then wakes up again. It
1000 also happens when the system is swapping so heavily that Tor is
1001 starving. The "time" argument specifies the number of seconds Tor
1002 thinks it was unconscious for (or alternatively, the number of
1003 seconds it went back in time).
1005 This status event is sent as NOTICE severity normally, but WARN
1006 severity if Tor is acting as a server currently.
1008 {Recommendation for controller: ignore it, since we don't really
1009 know what the user should do anyway. Hm.}
1013 "REASON=NEW/OLD/UNRECOMMENDED"
1014 "RECOMMENDED=\"version, version, ...\""
1015 Tor has found that directory servers don't recommend its version of
1016 the Tor software. RECOMMENDED is a comma-and-space-separated string
1017 of Tor versions that are recommended. REASON is NEW if this version
1018 of Tor is newer than any recommended version, OLD if this version of
1019 Tor is older than any recommended version, and UNRECOMMENDED if
1020 some recommended versions of Tor are newer and some are old than this
1023 {Controllers may want to suggest that the user upgrade OLD or
1024 UNRECOMMENDED versions. NEW versions may be known-insecure, or may
1025 simply be development versions.}
1027 TOO_MANY_CONNECTIONS
1029 Tor has reached its ulimit -n or whatever the native limit is on file
1030 descriptors or sockets. CURRENT is the number of sockets Tor
1031 currently has open. The user should really do something about
1032 this. The "current" argument shows the number of connections currently
1035 {Controllers may recommend that the user increase the limit, or
1036 increase it for them. Recommendations should be phrased in an
1037 OS-appropriate way and automated when possible.}
1041 Tor has encountered a situation that its developers never expected,
1042 and the developers would like to learn that it happened. Perhaps
1043 the controller can explain this to the user and encourage her to
1046 {Controllers should log bugs, but shouldn't annoy the user in case a
1047 bug appears frequently.}
1050 SKEW="+" / "-" SECONDS
1051 SOURCE="DIRSERV:IP:Port" / "NETWORKSTATUS:IP:PORT"
1052 If "SKEW" is present, it's an estimate of how far we are from the
1053 time declared in the source. If the source is a DIRSERV, we got
1054 the current time from a connection to a dirserver. If the source is
1055 a NETWORKSTATUS, we decided we're skewed because we got a
1056 networkstatus from far in the future.
1058 {Controllers may want to warn the user if the skew is high, or if
1059 multiple skew messages appear at severity WARN. Controllers
1060 shouldn't blindly adjust the clock, since the more accurate source
1061 of skew info (DIRSERV) is currently unauthenticated.}
1064 "METHOD=" libevent method
1065 "VERSION=" libevent version
1066 "BADNESS=" "BROKEN" / "BUGGY" / "SLOW"
1067 "RECOVERED=" "NO" / "YES"
1068 Tor knows about bugs in using the configured event method in this
1069 version of libevent. "BROKEN" libevents won't work at all;
1070 "BUGGY" libevents might work okay; "SLOW" libevents will work
1071 fine, but not quickly. If "RECOVERED" is YES, Tor managed to
1072 switch to a more reliable (but probably slower!) libevent method.
1074 {Controllers may want to warn the user if this event occurs, though
1075 generally it's the fault of whoever built the Tor binary and there's
1076 not much the user can do besides upgrade libevent or upgrade the
1080 Tor believes that none of the known directory servers are
1081 reachable -- this is most likely because the local network is
1082 down or otherwise not working, and might help to explain for the
1083 user why Tor appears to be broken.
1085 {Controllers may want to warn the user if this event occurs; further
1086 action is generally not possible.}
1088 Actions for STATUS_CLIENT events can be as follows:
1091 Tor now knows enough network-status documents and enough server
1092 descriptors that it's going to start trying to build circuits now.
1094 {Controllers may want to use this event to decide when to indicate
1095 progress to their users, but should not interrupt the user's browsing
1099 We discarded expired statuses and router descriptors to fall
1100 below the desired threshold of directory information. We won't
1101 try to build any circuits until ENOUGH_DIR_INFO occurs again.
1103 {Controllers may want to use this event to decide when to indicate
1104 progress to their users, but should not interrupt the user's browsing
1108 Tor is able to establish circuits for client use. This event will
1109 only be sent if we just built a circuit that changed our mind --
1110 that is, prior to this event we didn't know whether we could
1113 {Suggested use: controllers can notify their users that Tor is
1114 ready for use as a client once they see this status event. [Perhaps
1115 controllers should also have a timeout if too much time passes and
1116 this event hasn't arrived, to give tips on how to troubleshoot.
1117 On the other hand, hopefully Tor will send further status events
1118 if it can identify the problem.]}
1120 CIRCUIT_NOT_ESTABLISHED
1121 "REASON=" "EXTERNAL_ADDRESS" / "DIR_ALL_UNREACHABLE" / "CLOCK_JUMPED"
1122 We are no longer confident that we can build circuits. The "reason"
1123 keyword provides an explanation: which other status event type caused
1124 our lack of confidence.
1126 {Controllers may want to use this event to decide when to indicate
1127 progress to their users, but should not interrupt the user's browsing
1129 [Note: only REASON=CLOCK_JUMPED is implemented currently.]
1132 "PROTOCOL=SOCKS4/SOCKS5"
1134 A connection was made to Tor's SOCKS port using one of the SOCKS
1135 approaches that doesn't support hostnames -- only raw IP addresses.
1136 If the client application got this address from gethostbyname(),
1137 it may be leaking target addresses via DNS.
1139 {Controllers should warn their users when this occurs, unless they
1140 happen to know that the application using Tor is in fact doing so
1141 correctly (e.g., because it is part of a distributed bundle).}
1143 SOCKS_UNKNOWN_PROTOCOL
1145 A connection was made to Tor's SOCKS port that tried to use it
1146 for something other than the SOCKS protocol. Perhaps the user is
1147 using Tor as an HTTP proxy? The DATA is the first few characters
1148 sent to Tor on the SOCKS port.
1150 {Controllers may want to warn their users when this occurs: it
1151 indicates a misconfigured application.}
1154 "HOSTNAME=QuotedString"
1155 Some application gave us a funny-looking hostname. Perhaps
1156 it is broken? In any case it won't work with Tor and the user
1159 {Controllers may want to warn their users when this occurs: it
1160 usually indicates a misconfigured application.}
1162 Actions for STATUS_SERVER can be as follows:
1167 "METHOD=CONFIGURED/DIRSERV/RESOLVED/INTERFACE/GETHOSTNAME"
1168 Our best idea for our externally visible IP has changed to 'IP'.
1169 If 'HOSTNAME' is present, we got the new IP by resolving 'NAME'. If the
1170 method is 'CONFIGURED', the IP was given verbatim as a configuration
1171 option. If the method is 'RESOLVED', we resolved the Address
1172 configuration option to get the IP. If the method is 'GETHOSTNAME',
1173 we resolved our hostname to get the IP. If the method is 'INTERFACE',
1174 we got the address of one of our network interfaces to get the IP. If
1175 the method is 'DIRSERV', a directory server told us a guess for what
1178 {Controllers may want to record this info and display it to the user.}
1180 CHECKING_REACHABILITY
1182 "DIRADDRESS=IP:port"
1183 We're going to start testing the reachability of our external OR port
1186 {This event could effect the controller's idea of server status, but
1187 the controller should not interrupt the user to tell them so.}
1189 REACHABILITY_SUCCEEDED
1191 "DIRADDRESS=IP:port"
1192 We successfully verified the reachability of our external OR port or
1195 {This event could effect the controller's idea of server status, but
1196 the controller should not interrupt the user to tell them so.}
1198 GOOD_SERVER_DESCRIPTOR
1199 We successfully uploaded our server descriptor to each of the
1200 directory authorities, with no complaints.
1202 {This event could effect the controller's idea of server status, but
1203 the controller should not interrupt the user to tell them so.}
1207 "STATUS=" "UP" / "DOWN"
1209 One of our nameservers has changed status.
1212 {This event could effect the controller's idea of server status, but
1213 the controller should not interrupt the user to tell them so.}
1216 All of our nameservers have gone down.
1218 {This is a problem; if it happens often without the nameservers
1219 coming up again, the user needs to configure more or better
1223 Our DNS provider is providing an address when it should be saying
1224 "NOTFOUND"; Tor will treat the address as a synonym for "NOTFOUND".
1226 {This is an annoyance; controllers may want to tell admins that their
1227 DNS provider is not to be trusted.}
1230 Our DNS provider is giving a hijacked address instead of well-known
1231 websites; Tor will not try to be an exit node.
1233 {Controllers could warn the admin if the server is running as an
1234 exit server: the admin needs to configure a good DNS server.
1235 Alternatively, this happens a lot in some restrictive environments
1236 (hotels, universities, coffeeshops) when the user hasn't registered.}
1238 BAD_SERVER_DESCRIPTOR
1241 A directory authority rejected our descriptor. Possible reasons
1242 include malformed descriptors, incorrect keys, highly skewed clocks,
1245 {Controllers should warn the admin, and try to cope if they can.}
1247 ACCEPTED_SERVER_DESCRIPTOR
1249 A single directory authority accepted our descriptor.
1252 {This event could effect the controller's idea of server status, but
1253 the controller should not interrupt the user to tell them so.}
1257 "DIRADDRESS=IP:port"
1258 We failed to connect to our external OR port or directory port
1261 {This event could effect the controller's idea of server status. The
1262 controller should warn the admin and suggest reasonable steps to take.}
1264 4.1.11. Our set of guard nodes has changed
1267 "650" SP "GUARDS" SP Type SP Name SP Status ... CRLF
1269 Name = The (possibly verbose) nickname of the guard affected.
1270 Status = "NEW" | "UP" | "DOWN" | "BAD" | "GOOD" | "DROPPED"
1272 [explain states. XXX]
1274 4.1.12. Network status has changed
1277 "650" "+" "NS" CRLF 1*NetworkStatus "." CRLF
1279 [First added in 0.1.2.3-alpha]
1281 4.1.13. Bandwidth used on an application stream
1284 "650" SP "STREAM_BW" SP StreamID SP BytesRead SP BytesWritten
1286 BytesWritten = 1*DIGIT
1288 BytesRead and BytesWritten are the number of bytes read and written since
1289 the last STREAM_BW event on a stream. These events are generated about
1290 once per second per stream; No event is generated for streams that have not
1293 These events apply only to streams entering Tor (such as on a SOCKSPort,
1294 TransPort, or so on). They are not generated for exiting streams.
1296 5. Implementation notes
1300 By default, the current Tor implementation trusts all local users.
1302 If the 'CookieAuthentication' option is true, Tor writes a "magic cookie"
1303 file named "control_auth_cookie" into its data directory. To authenticate,
1304 the controller must send the contents of this file, encoded in hexadecimal.
1306 If the 'HashedControlPassword' option is set, it must contain the salted
1307 hash of a secret password. The salted hash is computed according to the
1308 S2K algorithm in RFC 2440 (OpenPGP), and prefixed with the s2k specifier.
1309 This is then encoded in hexadecimal, prefixed by the indicator sequence
1310 "16:". Thus, for example, the password 'foo' could encode to:
1311 16:660537E3E1CD49996044A3BF558097A981F539FEA2F9DA662B4626C1C2
1312 ++++++++++++++++**^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1315 You can generate the salt of a password by calling
1316 'tor --hash-password <password>'
1317 or by using the example code in the Python and Java controller libraries.
1318 To authenticate under this scheme, the controller sends Tor the original
1319 secret that was used to generate the password.
1321 5.2. Don't let the buffer get too big.
1323 If you ask for lots of events, and 16MB of them queue up on the buffer,
1324 the Tor process will close the socket.
1326 5.3. Backward compatibility with v0 control protocol.
1328 For backward compatibility with the "version 0" control protocol, Tor checks
1329 whether the third octet the first command is zero. If it is, Tor
1330 assumes that version 0 is in use. This feature is deprecated, and will be
1331 removed in the 0.1.3.x Tor development series.
1333 In order to detect which version of the protocol is supported controllers
1334 should send the sequence [00 00 0D 0A]. This is a valid and unrecognized
1335 command in both protocol versions, and implementations can detect which
1336 error they have received.