3 TC: A Tor control protocol (Version 1)
7 This document describes an implementation-specific protocol that is used
8 for other programs (such as frontend user-interfaces) to communicate with a
9 locally running Tor process. It is not part of the Tor onion routing
12 This protocol replaces version 0 of TC, which is now deprecated. For
13 reference, TC is described in "control-spec-v0.txt". Implementors are
14 recommended to avoid using TC directly, but instead to use a library that
15 can easily be updated to use the newer protocol. (Version 0 is used by Tor
16 versions 0.1.0.x; the protocol in this document only works with Tor
17 versions in the 0.1.1.x series and later.)
21 TC is a bidirectional message-based protocol. It assumes an underlying
22 stream for communication between a controlling process (the "client"
23 or "controller") and a Tor process (or "server"). The stream may be
24 implemented via TCP, TLS-over-TCP, a Unix-domain socket, or so on,
25 but it must provide reliable in-order delivery. For security, the
26 stream should not be accessible by untrusted parties.
28 In TC, the client and server send typed messages to each other over the
29 underlying stream. The client sends "commands" and the server sends
32 By default, all messages from the server are in response to messages from
33 the client. Some client requests, however, will cause the server to send
34 messages to the client indefinitely far into the future. Such
35 "asynchronous" replies are marked as such.
37 Servers respond to messages in the order messages are received.
41 2.1. Description format
43 The message formats listed below use ABNF as described in RFC 2234.
44 The protocol itself is loosely based on SMTP (see RFC 2821).
46 We use the following nonterminals from RFC 2822: atom, qcontent
48 We define the following general-use nonterminals:
50 String = DQUOTE *qcontent DQUOTE
52 There are explicitly no limits on line length. All 8-bit characters are
53 permitted unless explicitly disallowed.
55 2.2. Commands from controller to Tor
57 Command = Keyword Arguments CRLF / "+" Keyword Arguments CRLF Data
59 Arguments = *(SP / VCHAR)
61 Specific commands and their arguments are described below in section 3.
63 2.3. Replies from Tor to the controller
65 Reply = *(MidReplyLine / DataReplyLine) EndReplyLine
67 MidReplyLine = "-" ReplyLine
68 DataReplyLine = "+" ReplyLine Data
69 EndReplyLine = SP ReplyLine
70 ReplyLine = StatusCode [ SP ReplyText ] CRLF
74 Specific replies are mentioned below in section 3, and described more fully
77 2.4. General-use tokens
79 ; Identifiers for servers.
80 ServerID = Nickname / Fingerprint
82 Nickname = 1*19 NicknameChar
83 NicknameChar = "a"-"z" / "A"-"Z" / "0" - "9"
84 Fingerprint = "$" 40*HEXDIG
86 ; A "=" indicates that the given nickname is canonical; a "~" indicates
87 ; that the given nickname is not canonical.
88 LongName = Fingerprint [ ( "=" / "~" ) Nickname ]
90 ; How a controller tells Tor about a particular OR. There are four
92 ; $Digest -- The router whose identity key hashes to the given digest.
93 ; This is the preferred way to refer to an OR.
94 ; $Digest~Name -- The router whose identity key hashes to the given
95 ; digest, but only if the router has the given nickname.
96 ; $Digest=Name -- The router whose identity key hashes to the given
97 ; digest, but only if the router is Named and has the given
99 ; Name -- The Named router with the given nickname, or, if no such
100 ; router exists, any router whose nickname matches the one given.
101 ; This is not a safe way to refer to routers, since Named status
102 ; could under some circumstances change over time.
103 ServerSpec = LongName / Nickname
105 ; Unique identifiers for streams or circuits. Currently, Tor only
106 ; uses digits, but this may change
107 StreamID = 1*16 IDChar
108 CircuitID = 1*16 IDChar
109 IDChar = ALPHA / DIGIT
111 Address = ip4-address / ip6-address / hostname (XXXX Define these)
113 ; A "Data" section is a sequence of octets concluded by the terminating
114 ; sequence CRLF "." CRLF. The terminating sequence may not appear in the
115 ; body of the data. Leading periods on lines in the data are escaped with
116 ; an additional leading period as in RFC 2821 section 4.5.2.
117 Data = *DataLine "." CRLF
118 DataLine = CRLF / "." 1*LineItem CRLF / NonDotItem *LineItem CRLF
119 LineItem = NonCR / 1*CR NonCRLF
120 NonDotItem = NonDotCR / 1*CR NonCRLF
124 All commands and other keywords are case-insensitive.
128 Change the value of one or more configuration variables. The syntax is:
130 "SETCONF" 1*(SP keyword ["=" String]) CRLF
132 Tor behaves as though it had just read each of the key-value pairs
133 from its configuration file. Keywords with no corresponding values have
134 their configuration values reset to 0 or NULL (use RESETCONF if you want
135 to set it back to its default). SETCONF is all-or-nothing: if there
136 is an error in any of the configuration settings, Tor sets none of them.
138 Tor responds with a "250 configuration values set" reply on success.
139 If some of the listed keywords can't be found, Tor replies with a
140 "552 Unrecognized option" message. Otherwise, Tor responds with a
141 "513 syntax error in configuration values" reply on syntax error, or a
142 "553 impossible configuration setting" reply on a semantic error.
144 When a configuration option takes multiple values, or when multiple
145 configuration keys form a context-sensitive group (see GETCONF below), then
146 setting _any_ of the options in a SETCONF command is taken to reset all of
147 the others. For example, if two ORBindAddress values are configured, and a
148 SETCONF command arrives containing a single ORBindAddress value, the new
149 command's value replaces the two old values.
153 Remove all settings for a given configuration option entirely, assign
154 its default value (if any), and then assign the String provided.
155 Typically the String is left empty, to simply set an option back to
156 its default. The syntax is:
158 "RESETCONF" 1*(SP keyword ["=" String]) CRLF
160 Otherwise it behaves like SETCONF above.
164 Request the value of a configuration variable. The syntax is:
166 "GETCONF" 1*(SP keyword) CRLF
168 If all of the listed keywords exist in the Tor configuration, Tor replies
169 with a series of reply lines of the form:
171 If any option is set to a 'default' value semantically different from an
172 empty string, Tor may reply with a reply line of the form:
175 If some of the listed keywords can't be found, Tor replies with a
176 "552 unknown configuration keyword" message.
178 If an option appears multiple times in the configuration, all of its
179 key-value pairs are returned in order.
181 Some options are context-sensitive, and depend on other options with
182 different keywords. These cannot be fetched directly. Currently there
183 is only one such option: clients should use the "HiddenServiceOptions"
184 virtual keyword to get all HiddenServiceDir, HiddenServicePort,
185 HiddenServiceNodes, and HiddenServiceExcludeNodes option settings.
189 Request the server to inform the client about interesting events. The
192 "SETEVENTS" [SP "EXTENDED"] *(SP EventCode) CRLF
194 EventCode = "CIRC" / "STREAM" / "ORCONN" / "BW" / "DEBUG" /
195 "INFO" / "NOTICE" / "WARN" / "ERR" / "NEWDESC" / "ADDRMAP" /
196 "AUTHDIR_NEWDESCS" / "DESCCHANGED" / "STATUS_GENERAL" /
197 "STATUS_CLIENT" / "STATUS_SERVER" / "GUARD" / "NS" / "STREAM_BW"
199 Any events *not* listed in the SETEVENTS line are turned off; thus, sending
200 SETEVENTS with an empty body turns off all event reporting.
202 The server responds with a "250 OK" reply on success, and a "552
203 Unrecognized event" reply if one of the event codes isn't recognized. (On
204 error, the list of active event codes isn't changed.)
206 If the flag string "EXTENDED" is provided, Tor may provide extra
207 information with events for this connection; see 4.1 for more information.
208 NOTE: All events on a given connection will be provided in extended format,
210 NOTE: "EXTENDED" is only supported in Tor 0.1.1.9-alpha or later.
212 Each event is described in more detail in Section 4.1.
216 Sent from the client to the server. The syntax is:
217 "AUTHENTICATE" [ SP 1*HEXDIG / QuotedString ] CRLF
219 The server responds with "250 OK" on success or "515 Bad authentication" if
220 the authentication cookie is incorrect.
222 The format of the 'cookie' is implementation-dependent; see 5.1 below for
223 information on how the standard Tor implementation handles it.
225 If Tor requires authentication and the controller has not yet sent an
226 AUTHENTICATE message, Tor sends a "514 authentication required" reply to
227 any other kind of message.
231 Sent from the client to the server. The syntax is:
234 Instructs the server to write out its config options into its torrc. Server
235 returns "250 OK" if successful, or "551 Unable to write configuration
236 to disk" if it can't write the file or some other error occurs.
240 Sent from the client to the server. The syntax is:
242 "SIGNAL" SP Signal CRLF
244 Signal = "RELOAD" / "SHUTDOWN" / "DUMP" / "DEBUG" / "HALT" /
245 "HUP" / "INT" / "USR1" / "USR2" / "TERM" / "NEWNYM" /
248 The meaning of the signals are:
250 RELOAD -- Reload: reload config items, refetch directory. (like HUP)
251 SHUTDOWN -- Controlled shutdown: if server is an OP, exit immediately.
252 If it's an OR, close listeners and exit after 30 seconds.
254 DUMP -- Dump stats: log information about open connections and
255 circuits. (like USR1)
256 DEBUG -- Debug: switch all open logs to loglevel debug. (like USR2)
257 HALT -- Immediate shutdown: clean up and exit now. (like TERM)
258 CLEARDNSCACHE -- Forget the client-side cached IPs for all hostnames.
259 NEWNYM -- Switch to clean circuits, so new application requests
260 don't share any circuits with old ones. Also clears
261 the client-side DNS cache. (Tor MAY rate-limit its
262 response to this signal.)
264 The server responds with "250 OK" if the signal is recognized (or simply
265 closes the socket if it was asked to close immediately), or "552
266 Unrecognized signal" if the signal is unrecognized.
270 Sent from the client to the server. The syntax is:
272 "MAPADDRESS" 1*(Address "=" Address SP) CRLF
274 The first address in each pair is an "original" address; the second is a
275 "replacement" address. The client sends this message to the server in
276 order to tell it that future SOCKS requests for connections to the original
277 address should be replaced with connections to the specified replacement
278 address. If the addresses are well-formed, and the server is able to
279 fulfill the request, the server replies with a 250 message:
280 250-OldAddress1=NewAddress1
281 250 OldAddress2=NewAddress2
283 containing the source and destination addresses. If request is
284 malformed, the server replies with "512 syntax error in command
285 argument". If the server can't fulfill the request, it replies with
286 "451 resource exhausted".
288 The client may decline to provide a body for the original address, and
289 instead send a special null address ("0.0.0.0" for IPv4, "::0" for IPv6, or
290 "." for hostname), signifying that the server should choose the original
291 address itself, and return that address in the reply. The server
292 should ensure that it returns an element of address space that is unlikely
293 to be in actual use. If there is already an address mapped to the
294 destination address, the server may reuse that mapping.
296 If the original address is already mapped to a different address, the old
297 mapping is removed. If the original address and the destination address
298 are the same, the server removes any mapping in place for the original
302 C: MAPADDRESS 0.0.0.0=torproject.org 1.2.3.4=tor.freehaven.net
303 S: 250-127.192.10.10=torproject.org
304 S: 250 1.2.3.4=tor.freehaven.net
306 {Note: This feature is designed to be used to help Tor-ify applications
307 that need to use SOCKS4 or hostname-less SOCKS5. There are three
308 approaches to doing this:
309 1. Somehow make them use SOCKS4a or SOCKS5-with-hostnames instead.
310 2. Use tor-resolve (or another interface to Tor's resolve-over-SOCKS
311 feature) to resolve the hostname remotely. This doesn't work
312 with special addresses like x.onion or x.y.exit.
313 3. Use MAPADDRESS to map an IP address to the desired hostname, and then
314 arrange to fool the application into thinking that the hostname
315 has resolved to that IP.
316 This functionality is designed to help implement the 3rd approach.}
318 Mappings set by the controller last until the Tor process exits:
319 they never expire. If the controller wants the mapping to last only
320 a certain time, then it must explicitly un-map the address when that
325 Sent from the client to the server. The syntax is as for GETCONF:
326 "GETINFO" 1*(SP keyword) CRLF
327 one or more NL-terminated strings. The server replies with an INFOVALUE
328 message, or a 551 or 552 error.
330 Unlike GETCONF, this message is used for data that are not stored in the Tor
331 configuration file, and that may be longer than a single line. On success,
332 one ReplyLine is sent for each requested value, followed by a final 250 OK
333 ReplyLine. If a value fits on a single line, the format is:
335 If a value must be split over multiple lines, the format is:
339 Recognized keys and their values include:
341 "version" -- The version of the server's software, including the name
342 of the software. (example: "Tor 0.0.9.4")
344 "config-file" -- The location of Tor's configuration file ("torrc").
346 ["exit-policy/prepend" -- The default exit policy lines that Tor will
347 *prepend* to the ExitPolicy config option.
348 -- Never implemented. Useful?]
350 "exit-policy/default" -- The default exit policy lines that Tor will
351 *append* to the ExitPolicy config option.
353 "desc/id/<OR identity>" or "desc/name/<OR nickname>" -- the latest
354 server descriptor for a given OR, NUL-terminated.
356 "ns/id/<OR identity>" or "ns/name/<OR nickname>" -- the latest network
357 status info for a given OR. Network status info is as given in
358 dir-spec.txt, and reflects the current beliefs of this Tor about the
359 router in question. Like directory clients, controllers MUST
360 tolerate unrecognized flags and lines. The published date and
361 descriptor digest are those believed to be best by this Tor,
362 not necessarily those for a descriptor that Tor currently has.
363 [First implemented in 0.1.2.3-alpha.]
365 "ns/all" -- Network status info for all ORs we have an opinion about,
366 joined by newlines. [First implemented in 0.1.2.3-alpha.]
368 "desc/all-recent" -- the latest server descriptor for every router that
371 "network-status" -- a space-separated list of all known OR identities.
372 This is in the same format as the router-status line in directories;
373 see dir-spec-v1.txt section 3 for details. (If VERBOSE_NAMES is
374 enabled, the output will not conform to dir-spec-v1.txt; instead, the
375 result will be a space-separated list of LongName, each preceded by a
376 "!" if it is believed to be not running.)
379 "addr-mappings/config"
380 "addr-mappings/cache"
381 "addr-mappings/control" -- a \r\n-separated list of address
382 mappings, each in the form of "from-address to-address".
383 The 'config' key returns those address mappings set in the
384 configuration; the 'cache' key returns the mappings in the
385 client-side DNS cache; the 'control' key returns the mappings set
386 via the control interface; the 'all' target returns the mappings
387 set through any mechanism.
389 "address" -- the best guess at our external IP address. If we
390 have no guess, return a 551 error. (Added in 0.1.2.2-alpha)
392 "fingerprint" -- the contents of the fingerprint file that Tor
393 writes as a server, or a 551 if we're not a server currently.
394 (Added in 0.1.2.3-alpha)
397 A series of lines as for a circuit status event. Each line is of
399 CircuitID SP CircStatus [SP Path] CRLF
402 A series of lines as for a stream status event. Each is of the form:
403 StreamID SP StreamStatus SP CircID SP Target CRLF
406 A series of lines as for an OR connection status event. Each is of the
408 ServerID SP ORStatus CRLF
411 A series of lines listing the currently chosen entry guards, if any.
413 ServerID SP (Status-with-time / Status) CRLF
415 Status-with-time = ("down" / "unlisted") SP ISOTime
416 Status = ("up" / "never-connected")
418 [From 0.1.1.4-alpha to 0.1.1.10-alpha, this was called "helper-nodes".
419 Tor still supports calling it that for now, but support will be
423 "accounting/hibernating"
425 "accounting/bytes-left"
426 "accounting/interval-start"
427 "accounting/interval-wake"
428 "accounting/interval-end"
429 Information about accounting status. If accounting is enabled,
430 "enabled" is 1; otherwise it is 0. The "hibernating" field is "hard"
431 if we are accepting no data; "soft" if we're accepting no new
432 connections, and "awake" if we're not hibernating at all. The "bytes"
433 and "bytes-left" fields contain (read-bytes SP write-bytes), for the
434 start and the rest of the interval respectively. The 'interval-start'
435 and 'interval-end' fields are the borders of the current interval; the
436 'interval-wake' field is the time within the current interval (if any)
437 where we plan[ned] to start being active.
440 A series of lines listing the available configuration options. Each is
442 OptionName SP OptionType [ SP Documentation ] CRLF
444 OptionType = "Integer" / "TimeInterval" / "DataSize" / "Float" /
445 "Boolean" / "Time" / "CommaList" / "Dependant" / "Virtual" /
446 "String" / "LineList"
450 A series of lines listing the available GETINFO options. Each is of
452 OptionName SP Documentation CRLF
453 OptionPrefix SP Documentation CRLF
454 OptionPrefix = OptionName "/*"
457 A space-separated list of all the events supported by this version of
461 A space-separated list of all the events supported by this version of
464 "next-circuit/IP:port"
467 "dir/status/authority"
469 "dir/status/fp/<F1>+<F2>+<F3>"
472 "dir/server/fp/<F1>+<F2>+<F3>"
474 "dir/server/d/<D1>+<D2>+<D3>"
475 "dir/server/authority"
477 A series of lines listing directory contents, provided according to the
478 specification for the URLs listed in Section 4.4 of dir-spec.txt. Note
479 that Tor MUST NOT provide private information, such as descriptors for
480 routers not marked as general-purpose. When asked for 'authority'
481 information for which this Tor is not authoritative, Tor replies with
484 "status/circuit-established"
486 These provide the current internal Tor values for various Tor
487 states. See Section 4.1.10 for explanations. (Only a few of the
488 status events are available as getinfo's currently. Let us know if
489 you want more exposed.)
492 C: GETINFO version desc/name/moria1
493 S: 250+desc/name/moria=
494 S: [Descriptor for moria]
496 S: 250-version=Tor 0.1.1.0-alpha-cvs
501 Sent from the client to the server. The format is:
502 "EXTENDCIRCUIT" SP CircuitID SP
503 ServerSpec *("," ServerSpec) SP
504 ("purpose=" Purpose) CRLF
506 This request takes one of two forms: either the CircuitID is zero, in
507 which case it is a request for the server to build a new circuit according
508 to the specified path, or the CircuitID is nonzero, in which case it is a
509 request for the server to extend an existing circuit with that ID according
510 to the specified path.
512 If CircuitID is 0 and "purpose=" is specified, then the circuit's
513 purpose is set. Two choices are recognized: "general" and
514 "controller". If not specified, circuits are created as "general".
516 If the request is successful, the server sends a reply containing a
517 message body consisting of the CircuitID of the (maybe newly created)
518 circuit. The syntax is "250" SP "EXTENDED" SP CircuitID CRLF.
520 3.11. SETCIRCUITPURPOSE
522 Sent from the client to the server. The format is:
523 "SETCIRCUITPURPOSE" SP CircuitID SP Purpose CRLF
525 This changes the circuit's purpose. See EXTENDCIRCUIT above for details.
527 3.12. SETROUTERPURPOSE
529 Sent from the client to the server. The format is:
530 "SETROUTERPURPOSE" SP NicknameOrKey SP Purpose CRLF
532 This changes the descriptor's purpose. See +POSTDESCRIPTOR below
537 Sent from the client to the server. The syntax is:
538 "ATTACHSTREAM" SP StreamID SP CircuitID CRLF
540 This message informs the server that the specified stream should be
541 associated with the specified circuit. Each stream may be associated with
542 at most one circuit, and multiple streams may share the same circuit.
543 Streams can only be attached to completed circuits (that is, circuits that
544 have sent a circuit status 'BUILT' event or are listed as built in a
545 GETINFO circuit-status request).
547 If the circuit ID is 0, responsibility for attaching the given stream is
550 Tor responds with "250 OK" if it can attach the stream, 552 if the circuit
551 or stream didn't exist, or 551 if the stream couldn't be attached for
554 {Implementation note: Tor will close unattached streams by itself,
555 roughly two minutes after they are born. Let the developers know if
556 that turns out to be a problem.}
558 {Implementation note: By default, Tor automatically attaches streams to
559 circuits itself, unless the configuration variable
560 "__LeaveStreamsUnattached" is set to "1". Attempting to attach streams
561 via TC when "__LeaveStreamsUnattached" is false may cause a race between
562 Tor and the controller, as both attempt to attach streams to circuits.}
564 {Implementation note: You can try to attachstream to a stream that
565 has already sent a connect or resolve request but hasn't succeeded
566 yet, in which case Tor will detach the stream from its current circuit
567 before proceeding with the new attach request.}
571 Sent from the client to the server. The syntax is:
572 "+POSTDESCRIPTOR" ("purpose=" Purpose) CRLF Descriptor CRLF "." CRLF
574 This message informs the server about a new descriptor. If Purpose is
575 specified, it must be either "general" or "controller", else we
578 The descriptor, when parsed, must contain a number of well-specified
579 fields, including fields for its nickname and identity.
581 If there is an error in parsing the descriptor, the server must send a "554
582 Invalid descriptor" reply. If the descriptor is well-formed but the server
583 chooses not to add it, it must reply with a 251 message whose body explains
584 why the server was not added. If the descriptor is added, Tor replies with
589 Sent from the client to the server. The syntax is:
590 "REDIRECTSTREAM" SP StreamID SP Address (SP Port) CRLF
592 Tells the server to change the exit address on the specified stream. If
593 Port is specified, changes the destination port as well. No remapping
594 is performed on the new provided address.
596 To be sure that the modified address will be used, this event must be sent
597 after a new stream event is received, and before attaching this stream to
600 Tor replies with "250 OK" on success.
604 Sent from the client to the server. The syntax is:
606 "CLOSESTREAM" SP StreamID SP Reason *(SP Flag) CRLF
608 Tells the server to close the specified stream. The reason should be one
609 of the Tor RELAY_END reasons given in tor-spec.txt, as a decimal. Flags is
610 not used currently; Tor servers SHOULD ignore unrecognized flags. Tor may
611 hold the stream open for a while to flush any data that is pending.
613 Tor replies with "250 OK" on success, or a 512 if there aren't enough
614 arguments, or a 552 if it doesn't recognize the StreamID or reason.
619 CLOSECIRCUIT SP CircuitID *(SP Flag) CRLF
622 Tells the server to close the specified circuit. If "IfUnused" is
623 provided, do not close the circuit unless it is unused.
625 Other flags may be defined in the future; Tor SHOULD ignore unrecognized
628 Tor replies with "250 OK" on success, or a 512 if there aren't enough
629 arguments, or a 552 if it doesn't recognize the CircuitID.
633 Tells the server to hang up on this controller connection. This command
634 can be used before authenticating.
640 "USEFEATURE" *(SP FeatureName) CRLF
641 FeatureName = 1*(ALPHA / DIGIT / "_" / "-")
643 Sometimes extensions to the controller protocol break compatibility with
644 older controllers. In this case, whenever possible, the extensions are
645 first included in Tor disabled by default, and only enabled on a given
646 controller connection when the "USEFEATURE" command is given. Once a
647 "USEFEATURE" command is given, it applies to all subsequent interactions on
648 the same connection; to disable an enabled feature, a new controller
649 connection must be opened.
651 This is a forward-compatibility mechanism; each feature will eventually
652 become a regular part of the control protocol in some future version of Tor.
653 Tor will ignore a request to use any feature that is already on by default.
654 Tor will give a "552" error if any requested feature is not recognized.
656 Feature names are case-insensitive.
660 Same as passing 'EXTENDED' to SETEVENTS; this is the preferred way to
661 request the extended event syntax.
663 This will not be always-enabled until at least XXX (or, at least two
664 stable releases after XXX, the release where it was first used for
669 Instead of ServerID as specified above, the controller should
670 identify ORs by LongName in events and GETINFO results. This format is
671 strictly more informative: rather than including Nickname for
672 known Named routers and Fingerprint for unknown or unNamed routers, the
673 LongName format includes a Fingerprint, an indication of Named status,
674 and a Nickname (if one is known).
676 This will not be always-enabled until at least 0.1.4.x (or at least two
677 stable releases after 0.1.2.2-alpha, the release where it was first
682 Reply codes follow the same 3-character format as used by SMTP, with the
683 first character defining a status, the second character defining a
684 subsystem, and the third designating fine-grained information.
686 The TC protocol currently uses the following first characters:
688 2yz Positive Completion Reply
689 The command was successful; a new request can be started.
691 4yz Temporary Negative Completion reply
692 The command was unsuccessful but might be reattempted later.
694 5yz Permanent Negative Completion Reply
695 The command was unsuccessful; the client should not try exactly
696 that sequence of commands again.
698 6yz Asynchronous Reply
699 Sent out-of-order in response to an earlier SETEVENTS command.
701 The following second characters are used:
704 Sent in response to ill-formed or nonsensical commands.
707 Refers to operations of the Tor Control protocol.
710 Refers to actual operations of Tor system.
712 The following codes are defined:
715 251 Operation was unnecessary
716 [Tor has declined to perform the operation, but no harm was done.]
718 451 Resource exhausted
720 500 Syntax error: protocol
722 510 Unrecognized command
723 511 Unimplemented command
724 512 Syntax error in command argument
725 513 Unrecognized command argument
726 514 Authentication required
727 515 Bad authentication
729 550 Unspecified Tor error
732 [Something went wrong inside Tor, so that the client's
733 request couldn't be fulfilled.]
735 552 Unrecognized entity
736 [A configuration key, a stream ID, circuit ID, event,
737 mentioned in the command did not actually exist.]
739 553 Invalid configuration value
740 [The client tried to set a configuration option to an
741 incorrect, ill-formed, or impossible value.]
743 554 Invalid descriptor
747 650 Asynchronous event notification
749 Unless specified to have specific contents, the human-readable messages
750 in error replies should not be relied upon to match those in this document.
752 4.1. Asynchronous events
754 These replies can be sent after a corresponding SETEVENTS command has been
755 received. They will not be interleaved with other Reply elements, but they
756 can appear between a command and its corresponding reply. For example,
757 this sequence is possible:
761 C: GETCONF SOCKSPORT ORPORT
762 S: 650 CIRC 1000 EXTENDED moria1,moria2
763 S: 250-SOCKSPORT=9050
766 But this sequence is disallowed:
769 C: GETCONF SOCKSPORT ORPORT
770 S: 250-SOCKSPORT=9050
771 S: 650 CIRC 1000 EXTENDED moria1,moria2
774 Clients MUST tolerate more arguments in an asynchonous reply than
775 expected, and MUST tolerate more lines in an asynchronous reply than
776 expected. For instance, a client that expects a CIRC message like:
777 650 CIRC 1000 EXTENDED moria1,moria2
779 650-CIRC 1000 EXTENDED moria1,moria2 0xBEEF
783 If clients ask for extended events, then each event line as specified below
784 will be followed by additional extensions. Additional lines will be of the
786 "650" ("-"/" ") KEYWORD ["=" ARGUMENTS] CRLF
787 Additional arguments will be of the form
788 SP KEYWORD ["=" ( QuotedString / * NonSpDquote ) ]
789 Such clients MUST tolerate lines with keywords they do not recognize.
791 4.1.1. Circuit status changed
795 "650" SP "CIRC" SP CircuitID SP CircStatus [SP Path]
796 [SP "REASON=" Reason [SP "REMOTE_REASON=" Reason]] CRLF
799 "LAUNCHED" / ; circuit ID assigned to new circuit
800 "BUILT" / ; all hops finished, can now accept streams
801 "EXTENDED" / ; one more hop has been completed
802 "FAILED" / ; circuit closed (was not built)
803 "CLOSED" ; circuit closed (was built)
805 Path = ServerID *("," ServerID)
807 Reason = "NONE" / "TORPROTOCOL" / "INTERNAL" / "REQUESTED" /
808 "HIBERNATING" / "RESOURCELIMIT" / "CONNECTFAILED" /
809 "OR_IDENTITY" / "OR_CONN_CLOSED" / "TIMEOUT" /
810 "FINISHED" / "DESTROYED" / "NOPATH" / "NOSUCHSERVICE"
812 The path is provided only when the circuit has been extended at least one
815 The "REASON" field is provided only for FAILED and CLOSED events, and only
816 if extended events are enabled (see 3.19). Clients MUST accept reasons
817 not listed above. Reasons are as given in tor-spec.txt, except for:
819 NOPATH (Not enough nodes to make circuit)
821 The "REMOTE_REASON" field is provided only when we receive a DESTROY or
822 TRUNCATE cell, and only if extended events are enabled. It contains the
823 actual reason given by the remote OR for closing the circuit. Clients MUST
824 accept reasons not listed above. Reasons are as listed in tor-spec.txt.
826 4.1.2. Stream status changed
830 "650" SP "STREAM" SP StreamID SP StreamStatus SP CircID SP Target
831 [SP "REASON=" Reason [ SP "REMOTE_REASON=" Reason ]]
832 [SP "SOURCE=" Source] CRLF
835 "NEW" / ; New request to connect
836 "NEWRESOLVE" / ; New request to resolve an address
837 "REMAP" / ; Address re-mapped to another
838 "SENTCONNECT" / ; Sent a connect cell along a circuit
839 "SENTRESOLVE" / ; Sent a resolve cell along a circuit
840 "SUCCEEDED" / ; Received a reply; stream established
841 "FAILED" / ; Stream failed and not retriable
842 "CLOSED" / ; Stream closed
843 "DETACHED" ; Detached from circuit; still retriable
845 Target = Address ":" Port
847 The circuit ID designates which circuit this stream is attached to. If
848 the stream is unattached, the circuit ID "0" is given.
850 Reason = "MISC" / "RESOLVEFAILED" / "CONNECTREFUSED" /
851 "EXITPOLICY" / "DESTROY" / "DONE" / "TIMEOUT" /
852 "HIBERNATING" / "INTERNAL"/ "RESOURCELIMIT" /
853 "CONNRESET" / "TORPROTOCOL" / "NOTDIRECTORY" / "END"
855 The "REASON" field is provided only for FAILED, CLOSED, and DETACHED
856 events, and only if extended events are enabled (see 3.19). Clients MUST
857 accept reasons not listed above. Reasons are as given in tor-spec.txt,
860 END (We received a RELAY_END cell from the other side of thise
862 [XXXX document more.]
864 The "REMOTE_REASON" field is provided only when we receive a RELAY_END
865 cell, and only if extended events are enabled. It contains the actual
866 reason given by the remote OR for closing the stream. Clients MUST accept
867 reasons not listed above. Reasons are as listed in tor-spec.txt.
869 "REMAP" events include a Source if extended events are enabled:
870 Source = "CACHE" / "EXIT"
871 Clients MUST accept sources not listed above. "CACHE" is given if
872 the Tor client decided to remap the address because of a cached
873 answer, and "EXIT" is given if the remote node we queried gave us
874 the new address as a response.
876 4.1.3. OR Connection status changed
879 "650" SP "ORCONN" SP (ServerID / Target) SP ORStatus [ SP "REASON="
880 Reason ] [ SP "NCIRCS=" NumCircuits ]
882 ORStatus = "NEW" / "LAUNCHED" / "CONNECTED" / "FAILED" / "CLOSED"
884 NEW is for incoming connections, and LAUNCHED is for outgoing
885 connections. CONNECTED means the TLS handshake has finished (in
886 either direction). FAILED means a connection is being closed that
887 hasn't finished its handshake, and CLOSED is for connections that
890 A ServerID is specified unless it's a NEW connection, in which
891 case we don't know what server it is yet, so we use Address:Port.
893 If extended events are enabled (see 3.19), optional reason and
894 circuit counting information is provided for CLOSED and FAILED
897 Reason = "MISC" / "DONE" / "CONNECTREFUSED" /
898 "IDENTITY" / "CONNECTRESET" / "TIMEOUT" / "NOROUTE" /
901 NumCircuits counts both established and pending circuits.
903 4.1.4. Bandwidth used in the last second
906 "650" SP "BW" SP BytesRead SP BytesWritten *(SP Type "=" Num)
908 BytesWritten = 1*DIGIT
909 Type = "DIR" / "OR" / "EXIT" / "APP" / ...
912 BytesRead and BytesWritten are the totals. In Tor 0.1.x.y-alpha
913 and later, we also include a breakdown of the connection types
914 that used bandwidth this second (not implemented yet).
919 "650" SP Severity SP ReplyText
921 "650+" Severity CRLF Data
923 Severity = "DEBUG" / "INFO" / "NOTICE" / "WARN"/ "ERR"
925 4.1.6. New descriptors available
928 "650" SP "NEWDESC" 1*(SP ServerID)
930 4.1.7. New Address mapping
933 "650" SP "ADDRMAP" SP Address SP Address SP Expiry
934 Expiry = DQUOTE ISOTime DQUOTE / "NEVER"
936 Expiry is expressed as the local time (rather than GMT).
938 [XXX We should rename this to ADDRESSMAP. -RD]
939 [Why? Surely it can't be worth the compatibility issues. -NM]
941 4.1.8. Descriptors uploaded to us in our role as authoritative dirserver
944 "650" "+" "AUTHDIR_NEWDESCS" CRLF Action CRLF Message CRLF
945 Descriptor CRLF "." CRLF
946 Action = "ACCEPTED" / "DROPPED" / "REJECTED"
949 4.1.9. Our descriptor changed
952 "650" SP "DESCCHANGED"
954 [First added in 0.1.2.2-alpha.]
956 4.1.10. Status events
958 Status events (STATUS_GENERAL, STATUS_CLIENT, and STATUS_SERVER) are sent
959 based on occurrences in the Tor process pertaining to the general state of
960 the program. Generally, they correspond to log messages of severity Notice
961 or higher. They differ from log messages in that their format is a
965 "650" SP StatusType SP StatusSeverity SP StatusAction
966 [SP StatusArguments] CRLF
968 StatusType = "STATUS_GENERAL" / "STATUS_CLIENT" / "STATUS_SERVER"
969 StatusSeverity = "NOTICE" / "WARN" / "ERR"
970 StatusAction = 1*ALPHA
971 StatusArguments = StatusArgument *(SP StatusArgument)
972 StatusArgument = StatusKeyword '=' StatusValue
973 StatusKeyword = 1*(ALNUM / "_")
974 StatusValue = 1*(ALNUM / '_') / QuotedString
976 Action is a string, and Arguments is a series of keyword=value
977 pairs on the same line. Values may be space-terminated strings,
980 These events are always produced with EXTENDED_EVENTS and
981 VERBOSE_NAMES; see the explanations in the USEFEATURE section
984 Controllers MUST tolerate unrecognized actions, MUST tolerate
985 unrecognized arguments, MUST tolerate missing arguments, and MUST
986 tolerate arguments that arrive in any order.
988 Each event description below is accompanied by a recommendation for
989 controllers. These recommendations are suggestions only; no controller
990 is required to implement them.
992 Actions for STATUS_GENERAL events can be as follows:
996 Tor spent enough time without CPU cycles that it has closed all
997 its circuits and will establish them anew. This typically
998 happens when a laptop goes to sleep and then wakes up again. It
999 also happens when the system is swapping so heavily that Tor is
1000 starving. The "time" argument specifies the number of seconds Tor
1001 thinks it was unconscious for (or alternatively, the number of
1002 seconds it went back in time).
1004 This status event is sent as NOTICE severity normally, but WARN
1005 severity if Tor is acting as a server currently.
1007 {Recommendation for controller: ignore it, since we don't really
1008 know what the user should do anyway. Hm.}
1012 "REASON=NEW/OLD/UNRECOMMENDED"
1013 "RECOMMENDED=\"version, version, ...\""
1014 Tor has found that directory servers don't recommend its version of
1015 the Tor software. RECOMMENDED is a comma-and-space-separated string
1016 of Tor versions that are recommended. REASON is NEW if this version
1017 of Tor is newer than any recommended version, OLD if this version of
1018 Tor is older than any recommended version, and UNRECOMMENDED if
1019 some recommended versions of Tor are newer and some are old than this
1022 {Controllers may want to suggest that the user upgrade OLD or
1023 UNRECOMMENDED versions. NEW versions may be known-insecure, or may
1024 simply be development versions.}
1026 TOO_MANY_CONNECTIONS
1028 Tor has reached its ulimit -n or whatever the native limit is on file
1029 descriptors or sockets. CURRENT is the number of sockets Tor
1030 currently has open. The user should really do something about
1031 this. The "current" argument shows the number of connections currently
1034 {Controllers may recommend that the user increase the limit, or
1035 increase it for them. Recommendations should be phrased in an
1036 OS-appropriate way and automated when possible.}
1040 Tor has encountered a situation that its developers never expected,
1041 and the developers would like to learn that it happened. Perhaps
1042 the controller can explain this to the user and encourage her to
1045 {Controllers should log bugs, but shouldn't annoy the user in case a
1046 bug appears frequently.}
1049 SKEW="+" / "-" SECONDS
1050 SOURCE="DIRSERV:IP:Port" / "NETWORKSTATUS:IP:PORT"
1051 If "SKEW" is present, it's an estimate of how far we are from the
1052 time declared in the source. If the source is a DIRSERV, we got
1053 the current time from a connection to a dirserver. If the source is
1054 a NETWORKSTATUS, we decided we're skewed because we got a
1055 networkstatus from far in the future.
1057 {Controllers may want to warn the user if the skew is high, or if
1058 multiple skew messages appear at severity WARN. Controllers
1059 shouldn't blindly adjust the clock, since the more accurate source
1060 of skew info (DIRSERV) is currently unauthenticated.}
1063 "METHOD=" libevent method
1064 "VERSION=" libevent version
1065 "BADNESS=" "BROKEN" / "BUGGY" / "SLOW"
1066 "RECOVERED=" "NO" / "YES"
1067 Tor knows about bugs in using the configured event method in this
1068 version of libevent. "BROKEN" libevents won't work at all;
1069 "BUGGY" libevents might work okay; "SLOW" libevents will work
1070 fine, but not quickly. If "RECOVERED" is YES, Tor managed to
1071 switch to a more reliable (but probably slower!) libevent method.
1073 {Controllers may want to warn the user if this event occurs, though
1074 generally it's the fault of whoever built the Tor binary and there's
1075 not much the user can do besides upgrade libevent or upgrade the
1079 Tor believes that none of the known directory servers are
1080 reachable -- this is most likely because the local network is
1081 down or otherwise not working, and might help to explain for the
1082 user why Tor appears to be broken.
1084 {Controllers may want to warn the user if this event occurs; further
1085 action is generally not possible.}
1087 Actions for STATUS_CLIENT events can be as follows:
1090 Tor now knows enough network-status documents and enough server
1091 descriptors that it's going to start trying to build circuits now.
1093 {Controllers may want to use this event to decide when to indicate
1094 progress to their users, but should not interrupt the user's browsing
1098 We discarded expired statuses and router descriptors to fall
1099 below the desired threshold of directory information. We won't
1100 try to build any circuits until ENOUGH_DIR_INFO occurs again.
1102 {Controllers may want to use this event to decide when to indicate
1103 progress to their users, but should not interrupt the user's browsing
1107 Tor is able to establish circuits for client use. This event will
1108 only be sent if we just built a circuit that changed our mind --
1109 that is, prior to this event we didn't know whether we could
1112 {Suggested use: controllers can notify their users that Tor is
1113 ready for use as a client once they see this status event. [Perhaps
1114 controllers should also have a timeout if too much time passes and
1115 this event hasn't arrived, to give tips on how to troubleshoot.
1116 On the other hand, hopefully Tor will send further status events
1117 if it can identify the problem.]}
1119 CIRCUIT_NOT_ESTABLISHED
1120 "REASON=" "EXTERNAL_ADDRESS" / "DIR_ALL_UNREACHABLE" / "CLOCK_JUMPED"
1121 We are no longer confident that we can build circuits. The "reason"
1122 keyword provides an explanation: which other status event type caused
1123 our lack of confidence.
1125 {Controllers may want to use this event to decide when to indicate
1126 progress to their users, but should not interrupt the user's browsing
1128 [Note: only REASON=CLOCK_JUMPED is implemented currently.]
1131 "PROTOCOL=SOCKS4/SOCKS5"
1133 A connection was made to Tor's SOCKS port using one of the SOCKS
1134 approaches that doesn't support hostnames -- only raw IP addresses.
1135 If the client application got this address from gethostbyname(),
1136 it may be leaking target addresses via DNS.
1138 {Controllers should warn their users when this occurs, unless they
1139 happen to know that the application using Tor is in fact doing so
1140 correctly (e.g., because it is part of a distributed bundle).}
1142 SOCKS_UNKNOWN_PROTOCOL
1144 A connection was made to Tor's SOCKS port that tried to use it
1145 for something other than the SOCKS protocol. Perhaps the user is
1146 using Tor as an HTTP proxy? The DATA is the first few characters
1147 sent to Tor on the SOCKS port.
1149 {Controllers may want to warn their users when this occurs: it
1150 indicates a misconfigured application.}
1153 "HOSTNAME=QuotedString"
1154 Some application gave us a funny-looking hostname. Perhaps
1155 it is broken? In any case it won't work with Tor and the user
1158 {Controllers may want to warn their users when this occurs: it
1159 usually indicates a misconfigured application.}
1161 Actions for STATUS_SERVER can be as follows:
1166 "METHOD=CONFIGURED/DIRSERV/RESOLVED/INTERFACE/GETHOSTNAME"
1167 Our best idea for our externally visible IP has changed to 'IP'.
1168 If 'HOSTNAME' is present, we got the new IP by resolving 'NAME'. If the
1169 method is 'CONFIGURED', the IP was given verbatim as a configuration
1170 option. If the method is 'RESOLVED', we resolved the Address
1171 configuration option to get the IP. If the method is 'GETHOSTNAME',
1172 we resolved our hostname to get the IP. If the method is 'INTERFACE',
1173 we got the address of one of our network interfaces to get the IP. If
1174 the method is 'DIRSERV', a directory server told us a guess for what
1177 {Controllers may want to record this info and display it to the user.}
1179 CHECKING_REACHABILITY
1181 "DIRADDRESS=IP:port"
1182 We're going to start testing the reachability of our external OR port
1185 {This event could effect the controller's idea of server status, but
1186 the controller should not interrupt the user to tell them so.}
1188 REACHABILITY_SUCCEEDED
1190 "DIRADDRESS=IP:port"
1191 We successfully verified the reachability of our external OR port or
1194 {This event could effect the controller's idea of server status, but
1195 the controller should not interrupt the user to tell them so.}
1197 GOOD_SERVER_DESCRIPTOR
1198 We successfully uploaded our server descriptor to each of the
1199 directory authorities, with no complaints.
1201 {This event could effect the controller's idea of server status, but
1202 the controller should not interrupt the user to tell them so.}
1206 "STATUS=" "UP" / "DOWN"
1208 One of our nameservers has changed status.
1211 {This event could effect the controller's idea of server status, but
1212 the controller should not interrupt the user to tell them so.}
1215 All of our nameservers have gone down.
1217 {This is a problem; if it happens often without the nameservers
1218 coming up again, the user needs to configure more or better
1222 Our DNS provider is providing an address when it should be saying
1223 "NOTFOUND"; Tor will treat the address as a synonym for "NOTFOUND".
1225 {This is an annoyance; controllers may want to tell admins that their
1226 DNS provider is not to be trusted.}
1229 Our DNS provider is giving a hijacked address instead of well-known
1230 websites; Tor will not try to be an exit node.
1232 {Controllers could warn the admin if the server is running as an
1233 exit server: the admin needs to configure a good DNS server.
1234 Alternatively, this happens a lot in some restrictive environments
1235 (hotels, universities, coffeeshops) when the user hasn't registered.}
1237 BAD_SERVER_DESCRIPTOR
1240 A directory authority rejected our descriptor. Possible reasons
1241 include malformed descriptors, incorrect keys, highly skewed clocks,
1244 {Controllers should warn the admin, and try to cope if they can.}
1246 ACCEPTED_SERVER_DESCRIPTOR
1248 A single directory authority accepted our descriptor.
1251 {This event could effect the controller's idea of server status, but
1252 the controller should not interrupt the user to tell them so.}
1256 "DIRADDRESS=IP:port"
1257 We failed to connect to our external OR port or directory port
1260 {This event could effect the controller's idea of server status. The
1261 controller should warn the admin and suggest reasonable steps to take.}
1263 4.1.11. Our set of guard nodes has changed
1266 "650" SP "GUARD" SP Type SP Name SP Status ... CRLF
1268 Name = The (possibly verbose) nickname of the guard affected.
1269 Status = "NEW" | "UP" | "DOWN" | "BAD" | "GOOD" | "DROPPED"
1271 [explain states. XXX]
1273 4.1.12. Network status has changed
1276 "650" "+" "NS" CRLF 1*NetworkStatus "." CRLF
1278 [First added in 0.1.2.3-alpha]
1280 4.1.13. Bandwidth used on an application stream
1283 "650" SP "STREAM_BW" SP StreamID SP BytesRead SP BytesWritten
1285 BytesWritten = 1*DIGIT
1287 BytesRead and BytesWritten are the number of bytes read and written since
1288 the last STREAM_BW event on this stream. These events are generated about
1289 once per second per stream; no events are generated for streams that have
1290 not read or written.
1292 These events apply only to streams entering Tor (such as on a SOCKSPort,
1293 TransPort, or so on). They are not generated for exiting streams.
1295 5. Implementation notes
1299 By default, the current Tor implementation trusts all local users.
1301 If the 'CookieAuthentication' option is true, Tor writes a "magic cookie"
1302 file named "control_auth_cookie" into its data directory. To authenticate,
1303 the controller must send the contents of this file, encoded in hexadecimal.
1305 If the 'HashedControlPassword' option is set, it must contain the salted
1306 hash of a secret password. The salted hash is computed according to the
1307 S2K algorithm in RFC 2440 (OpenPGP), and prefixed with the s2k specifier.
1308 This is then encoded in hexadecimal, prefixed by the indicator sequence
1309 "16:". Thus, for example, the password 'foo' could encode to:
1310 16:660537E3E1CD49996044A3BF558097A981F539FEA2F9DA662B4626C1C2
1311 ++++++++++++++++**^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1314 You can generate the salt of a password by calling
1315 'tor --hash-password <password>'
1316 or by using the example code in the Python and Java controller libraries.
1317 To authenticate under this scheme, the controller sends Tor the original
1318 secret that was used to generate the password.
1320 5.2. Don't let the buffer get too big.
1322 If you ask for lots of events, and 16MB of them queue up on the buffer,
1323 the Tor process will close the socket.
1325 5.3. Backward compatibility with v0 control protocol.
1327 For backward compatibility with the "version 0" control protocol, Tor checks
1328 whether the third octet the first command is zero. If it is, Tor
1329 assumes that version 0 is in use. This feature is deprecated, and will be
1330 removed in the 0.1.3.x Tor development series.
1332 In order to detect which version of the protocol is supported controllers
1333 should send the sequence [00 00 0D 0A]. This is a valid and unrecognized
1334 command in both protocol versions, and implementations can detect which
1335 error they have received.