3 TC: A Tor control protocol (Version 1)
7 This document describes an implementation-specific protocol that is used
8 for other programs (such as frontend user-interfaces) to communicate with a
9 locally running Tor process. It is not part of the Tor onion routing
12 This protocol replaces version 0 of TC, which is now deprecated. For
13 reference, TC is described in "control-spec-v0.txt". Implementors are
14 recommended to avoid using TC directly, but instead to use a library that
15 can easily be updated to use the newer protocol. (Version 0 is used by Tor
16 versions 0.1.0.x; the protocol in this document only works with Tor
17 versions in the 0.1.1.x series and later.)
21 TC is a bidirectional message-based protocol. It assumes an underlying
22 stream for communication between a controlling process (the "client"
23 or "controller") and a Tor process (or "server"). The stream may be
24 implemented via TCP, TLS-over-TCP, a Unix-domain socket, or so on,
25 but it must provide reliable in-order delivery. For security, the
26 stream should not be accessible by untrusted parties.
28 In TC, the client and server send typed messages to each other over the
29 underlying stream. The client sends "commands" and the server sends
32 By default, all messages from the server are in response to messages from
33 the client. Some client requests, however, will cause the server to send
34 messages to the client indefinitely far into the future. Such
35 "asynchronous" replies are marked as such.
37 Servers respond to messages in the order messages are received.
41 2.1. Description format
43 The message formats listed below use ABNF as described in RFC 2234.
44 The protocol itself is loosely based on SMTP (see RFC 2821).
46 We use the following nonterminals from RFC 2822: atom, qcontent
48 We define the following general-use nonterminals:
50 String = DQUOTE *qcontent DQUOTE
52 There are explicitly no limits on line length. All 8-bit characters are
53 permitted unless explicitly disallowed.
55 2.2. Commands from controller to Tor
57 Command = Keyword Arguments CRLF / "+" Keyword Arguments CRLF Data
59 Arguments = *(SP / VCHAR)
61 Specific commands and their arguments are described below in section 3.
63 2.3. Replies from Tor to the controller
65 Reply = *(MidReplyLine / DataReplyLine) EndReplyLine
67 MidReplyLine = "-" ReplyLine
68 DataReplyLine = "+" ReplyLine Data
69 EndReplyLine = SP ReplyLine
70 ReplyLine = StatusCode [ SP ReplyText ] CRLF
74 Specific replies are mentioned below in section 3, and described more fully
77 2.4. General-use tokens
79 ; Identifiers for servers.
80 ServerID = Nickname / Fingerprint
82 Nickname = 1*19 NicknameChar
83 NicknameChar = "a"-"z" / "A"-"Z" / "0" - "9"
84 Fingerprint = "$" 40*HEXDIG
86 ; A "=" indicates that the given nickname is canonical; a "~" indicates
87 ; that the given nickname is not canonical.
88 LongName = Fingerprint [ ( "=" / "~" ) Nickname ]
90 ; How a controller tells Tor about a particular OR. There are four
92 ; $Digest -- The router whose identity key hashes to the given digest.
93 ; This is the preferred way to refer to an OR.
94 ; $Digest~Name -- The router whose identity key hashes to the given
95 ; digest, but only if the router has the given nickname.
96 ; $Digest=Name -- The router whose identity key hashes to the given
97 ; digest, but only if the router is Named and has the given
99 ; Name -- The Named router with the given nickname, or, if no such
100 ; router exists, any router whose nickname matches the one given.
101 ; This is not a safe way to refer to routers, since Named status
102 ; could under some circumstances change over time.
103 ServerSpec = LongName / Nickname
105 ; Unique identifiers for streams or circuits. Currently, Tor only
106 ; uses digits, but this may change
107 StreamID = 1*16 IDChar
108 CircuitID = 1*16 IDChar
109 IDChar = ALPHA / DIGIT
111 Address = ip4-address / ip6-address / hostname (XXXX Define these)
113 ; A "Data" section is a sequence of octets concluded by the terminating
114 ; sequence CRLF "." CRLF. The terminating sequence may not appear in the
115 ; body of the data. Leading periods on lines in the data are escaped with
116 ; an additional leading period as in RFC 2821 section 4.5.2.
117 Data = *DataLine "." CRLF
118 DataLine = CRLF / "." 1*LineItem CRLF / NonDotItem *LineItem CRLF
119 LineItem = NonCR / 1*CR NonCRLF
120 NonDotItem = NonDotCR / 1*CR NonCRLF
124 All commands and other keywords are case-insensitive.
128 Change the value of one or more configuration variables. The syntax is:
130 "SETCONF" 1*(SP keyword ["=" String]) CRLF
132 Tor behaves as though it had just read each of the key-value pairs
133 from its configuration file. Keywords with no corresponding values have
134 their configuration values reset to 0 or NULL (use RESETCONF if you want
135 to set it back to its default). SETCONF is all-or-nothing: if there
136 is an error in any of the configuration settings, Tor sets none of them.
138 Tor responds with a "250 configuration values set" reply on success.
139 If some of the listed keywords can't be found, Tor replies with a
140 "552 Unrecognized option" message. Otherwise, Tor responds with a
141 "513 syntax error in configuration values" reply on syntax error, or a
142 "553 impossible configuration setting" reply on a semantic error.
144 When a configuration option takes multiple values, or when multiple
145 configuration keys form a context-sensitive group (see GETCONF below), then
146 setting _any_ of the options in a SETCONF command is taken to reset all of
147 the others. For example, if two ORBindAddress values are configured, and a
148 SETCONF command arrives containing a single ORBindAddress value, the new
149 command's value replaces the two old values.
153 Remove all settings for a given configuration option entirely, assign
154 its default value (if any), and then assign the String provided.
155 Typically the String is left empty, to simply set an option back to
156 its default. The syntax is:
158 "RESETCONF" 1*(SP keyword ["=" String]) CRLF
160 Otherwise it behaves like SETCONF above.
164 Request the value of a configuration variable. The syntax is:
166 "GETCONF" 1*(SP keyword) CRLF
168 If all of the listed keywords exist in the Tor configuration, Tor replies
169 with a series of reply lines of the form:
171 If any option is set to a 'default' value semantically different from an
172 empty string, Tor may reply with a reply line of the form:
175 If some of the listed keywords can't be found, Tor replies with a
176 "552 unknown configuration keyword" message.
178 If an option appears multiple times in the configuration, all of its
179 key-value pairs are returned in order.
181 Some options are context-sensitive, and depend on other options with
182 different keywords. These cannot be fetched directly. Currently there
183 is only one such option: clients should use the "HiddenServiceOptions"
184 virtual keyword to get all HiddenServiceDir, HiddenServicePort,
185 HiddenServiceNodes, and HiddenServiceExcludeNodes option settings.
189 Request the server to inform the client about interesting events. The
192 "SETEVENTS" [SP "EXTENDED"] *(SP EventCode) CRLF
194 EventCode = "CIRC" / "STREAM" / "ORCONN" / "BW" / "DEBUG" /
195 "INFO" / "NOTICE" / "WARN" / "ERR" / "NEWDESC" / "ADDRMAP" /
196 "AUTHDIR_NEWDESCS" / "DESCCHANGED" / "STATUS_GENERAL" /
197 "STATUS_CLIENT" / "STATUS_SERVER" / "GUARDS" / "NS"
199 Any events *not* listed in the SETEVENTS line are turned off; thus, sending
200 SETEVENTS with an empty body turns off all event reporting.
202 The server responds with a "250 OK" reply on success, and a "552
203 Unrecognized event" reply if one of the event codes isn't recognized. (On
204 error, the list of active event codes isn't changed.)
206 If the flag string "EXTENDED" is provided, Tor may provide extra
207 information with events for this connection; see 4.1 for more information.
208 NOTE: All events on a given connection will be provided in extended format,
210 NOTE: "EXTENDED" is only supported in Tor 0.1.1.9-alpha or later.
212 Each event is described in more detail in Section 4.1.
216 Sent from the client to the server. The syntax is:
217 "AUTHENTICATE" [ SP 1*HEXDIG / QuotedString ] CRLF
219 The server responds with "250 OK" on success or "515 Bad authentication" if
220 the authentication cookie is incorrect.
222 The format of the 'cookie' is implementation-dependent; see 5.1 below for
223 information on how the standard Tor implementation handles it.
225 If Tor requires authentication and the controller has not yet sent an
226 AUTHENTICATE message, Tor sends a "514 authentication required" reply to
227 any other kind of message.
231 Sent from the client to the server. The syntax is:
234 Instructs the server to write out its config options into its torrc. Server
235 returns "250 OK" if successful, or "551 Unable to write configuration
236 to disk" if it can't write the file or some other error occurs.
240 Sent from the client to the server. The syntax is:
242 "SIGNAL" SP Signal CRLF
244 Signal = "RELOAD" / "SHUTDOWN" / "DUMP" / "DEBUG" / "HALT" /
245 "HUP" / "INT" / "USR1" / "USR2" / "TERM" / "NEWNYM" /
248 The meaning of the signals are:
250 RELOAD -- Reload: reload config items, refetch directory. (like HUP)
251 SHUTDOWN -- Controlled shutdown: if server is an OP, exit immediately.
252 If it's an OR, close listeners and exit after 30 seconds.
254 DUMP -- Dump stats: log information about open connections and
255 circuits. (like USR1)
256 DEBUG -- Debug: switch all open logs to loglevel debug. (like USR2)
257 HALT -- Immediate shutdown: clean up and exit now. (like TERM)
258 CLEARDNSCACHE -- Forget the client-side cached IPs for all hostnames.
259 NEWNYM -- Switch to clean circuits, so new application requests
260 don't share any circuits with old ones. Also clears
261 the client-side DNS cache.
263 The server responds with "250 OK" if the signal is recognized (or simply
264 closes the socket if it was asked to close immediately), or "552
265 Unrecognized signal" if the signal is unrecognized.
269 Sent from the client to the server. The syntax is:
271 "MAPADDRESS" 1*(Address "=" Address SP) CRLF
273 The first address in each pair is an "original" address; the second is a
274 "replacement" address. The client sends this message to the server in
275 order to tell it that future SOCKS requests for connections to the original
276 address should be replaced with connections to the specified replacement
277 address. If the addresses are well-formed, and the server is able to
278 fulfill the request, the server replies with a 250 message:
279 250-OldAddress1=NewAddress1
280 250 OldAddress2=NewAddress2
282 containing the source and destination addresses. If request is
283 malformed, the server replies with "512 syntax error in command
284 argument". If the server can't fulfill the request, it replies with
285 "451 resource exhausted".
287 The client may decline to provide a body for the original address, and
288 instead send a special null address ("0.0.0.0" for IPv4, "::0" for IPv6, or
289 "." for hostname), signifying that the server should choose the original
290 address itself, and return that address in the reply. The server
291 should ensure that it returns an element of address space that is unlikely
292 to be in actual use. If there is already an address mapped to the
293 destination address, the server may reuse that mapping.
295 If the original address is already mapped to a different address, the old
296 mapping is removed. If the original address and the destination address
297 are the same, the server removes any mapping in place for the original
301 C: MAPADDRESS 0.0.0.0=tor.eff.org 1.2.3.4=tor.freehaven.net
302 S: 250-127.192.10.10=tor.eff.org
303 S: 250 1.2.3.4=tor.freehaven.net
305 {Note: This feature is designed to be used to help Tor-ify applications
306 that need to use SOCKS4 or hostname-less SOCKS5. There are three
307 approaches to doing this:
308 1. Somehow make them use SOCKS4a or SOCKS5-with-hostnames instead.
309 2. Use tor-resolve (or another interface to Tor's resolve-over-SOCKS
310 feature) to resolve the hostname remotely. This doesn't work
311 with special addresses like x.onion or x.y.exit.
312 3. Use MAPADDRESS to map an IP address to the desired hostname, and then
313 arrange to fool the application into thinking that the hostname
314 has resolved to that IP.
315 This functionality is designed to help implement the 3rd approach.}
317 Mappings set by the controller last until the Tor process exits:
318 they never expire. If the controller wants the mapping to last only
319 a certain time, then it must explicitly un-map the address when that
324 Sent from the client to the server. The syntax is as for GETCONF:
325 "GETINFO" 1*(SP keyword) CRLF
326 one or more NL-terminated strings. The server replies with an INFOVALUE
327 message, or a 551 or 552 error.
329 Unlike GETCONF, this message is used for data that are not stored in the Tor
330 configuration file, and that may be longer than a single line. On success,
331 one ReplyLine is sent for each requested value, followed by a final 250 OK
332 ReplyLine. If a value fits on a single line, the format is:
334 If a value must be split over multiple lines, the format is:
338 Recognized keys and their values include:
340 "version" -- The version of the server's software, including the name
341 of the software. (example: "Tor 0.0.9.4")
343 "config-file" -- The location of Tor's configuration file ("torrc").
345 ["exit-policy/prepend" -- The default exit policy lines that Tor will
346 *prepend* to the ExitPolicy config option.
347 -- Never implemented. Useful?]
349 "exit-policy/default" -- The default exit policy lines that Tor will
350 *append* to the ExitPolicy config option.
352 "desc/id/<OR identity>" or "desc/name/<OR nickname>" -- the latest
353 server descriptor for a given OR, NUL-terminated.
355 "ns/id/<OR identity>" or "ns/name/<OR nickname>" -- the latest network
356 status info for a given OR. Network status info is as given in
357 dir-spec.txt, and reflects the current beliefs of this Tor about the
358 router in question. Like directory clients, controllers MUST
359 tolerate unrecognized flags and lines. The published date and
360 descriptor digest are those believed to be best by this Tor,
361 not necessarily those for a descriptor that Tor currently has.
362 [First implemented in 0.1.2.3-alpha.]
364 "ns/all" -- Network status info for all ORs we have an opinion about,
365 joined by newlines. [First implemented in 0.1.2.3-alpha.]
367 "desc/all-recent" -- the latest server descriptor for every router that
370 "network-status" -- a space-separated list of all known OR identities.
371 This is in the same format as the router-status line in directories;
372 see dir-spec-v1.txt section 3 for details. (If VERBOSE_NAMES is
373 enabled, the output will not conform to dir-spec-v1.txt; instead, the
374 result will be a space-separated list of LongName, each preceded by a
375 "!" if it is believed to be not running.)
378 "addr-mappings/config"
379 "addr-mappings/cache"
380 "addr-mappings/control" -- a space-separated list of address
381 mappings, each in the form of "from-address=to-address".
382 The 'config' key returns those address mappings set in the
383 configuration; the 'cache' key returns the mappings in the
384 client-side DNS cache; the 'control' key returns the mappings set
385 via the control interface; the 'all' target returns the mappings
386 set through any mechanism.
388 "address" -- the best guess at our external IP address. If we
389 have no guess, return a 551 error. (Added in 0.1.2.2-alpha)
391 "fingerprint" -- the contents of the fingerprint file that Tor
392 writes as a server, or a 551 if we're not a server currently.
393 (Added in 0.1.2.3-alpha)
396 A series of lines as for a circuit status event. Each line is of
398 CircuitID SP CircStatus [SP Path] CRLF
401 A series of lines as for a stream status event. Each is of the form:
402 StreamID SP StreamStatus SP CircID SP Target CRLF
405 A series of lines as for an OR connection status event. Each is of the
407 ServerID SP ORStatus CRLF
410 A series of lines listing the currently chosen entry guards, if any.
412 ServerID SP (Status-with-time / Status) CRLF
414 Status-with-time = ("down" / "unlisted") SP ISOTime
415 Status = ("up" / "never-connected")
417 [From 0.1.1.4-alpha to 0.1.1.10-alpha, this was called "helper-nodes".
418 Tor still supports calling it that for now, but support will be
422 "accounting/hibernating"
424 "accounting/bytes-left"
425 "accounting/interval-start"
426 "accounting/interval-wake"
427 "accounting/interval-end"
428 Information about accounting status. If accounting is enabled,
429 "enabled" is 1; otherwise it is 0. The "hibernating" field is "hard"
430 if we are accepting no data; "soft" if we're accepting no new
431 connections, and "awake" if we're not hibernating at all. The "bytes"
432 and "bytes-left" fields contain (read-bytes SP write-bytes), for the
433 start and the rest of the interval respectively. The 'interval-start'
434 and 'interval-end' fields are the borders of the current interval; the
435 'interval-wake' field is the time within the current interval (if any)
436 where we plan[ned] to start being active.
439 A series of lines listing the available configuration options. Each is
441 OptionName SP OptionType [ SP Documentation ] CRLF
443 OptionType = "Integer" / "TimeInterval" / "DataSize" / "Float" /
444 "Boolean" / "Time" / "CommaList" / "Dependant" / "Virtual" /
445 "String" / "LineList"
449 A series of lines listing the available GETINFO options. Each is of
451 OptionName SP Documentation CRLF
452 OptionPrefix SP Documentation CRLF
453 OptionPrefix = OptionName "/*"
456 A space-separated list of all the events supported by this version of
460 A space-separated list of all the events supported by this version of
463 "next-circuit/IP:port"
466 "dir/status/authority"
468 "dir/status/fp/<F1>+<F2>+<F3>"
471 "dir/server/fp/<F1>+<F2>+<F3>"
473 "dir/server/d/<D1>+<D2>+<D3>"
474 "dir/server/authority"
476 A series of lines listing directory contents, provided according to the
477 specification for the URLs listed in Section 4.4 of dir-spec.txt. Note
478 that Tor MUST NOT provide private information, such as descriptors for
479 routers not marked as general-purpose. When asked for 'authority'
480 information for which this Tor is not authoritative, Tor replies with
483 "status/circuit-established"
485 These provide the current internal Tor values for various Tor
486 states. See Section 4.1.10 for explanations. (Only a few of the
487 status events are available as getinfo's currently. Let us know if
488 you want more exposed.)
491 C: GETINFO version desc/name/moria1
492 S: 250+desc/name/moria=
493 S: [Descriptor for moria]
495 S: 250-version=Tor 0.1.1.0-alpha-cvs
500 Sent from the client to the server. The format is:
501 "EXTENDCIRCUIT" SP CircuitID SP
502 ServerSpec *("," ServerSpec) SP
503 ("purpose=" Purpose) CRLF
505 This request takes one of two forms: either the CircuitID is zero, in
506 which case it is a request for the server to build a new circuit according
507 to the specified path, or the CircuitID is nonzero, in which case it is a
508 request for the server to extend an existing circuit with that ID according
509 to the specified path.
511 If CircuitID is 0 and "purpose=" is specified, then the circuit's
512 purpose is set. Two choices are recognized: "general" and
513 "controller". If not specified, circuits are created as "general".
515 If the request is successful, the server sends a reply containing a
516 message body consisting of the CircuitID of the (maybe newly created)
517 circuit. The syntax is "250" SP "EXTENDED" SP CircuitID CRLF.
519 3.11. SETCIRCUITPURPOSE
521 Sent from the client to the server. The format is:
522 "SETCIRCUITPURPOSE" SP CircuitID SP Purpose CRLF
524 This changes the circuit's purpose. See EXTENDCIRCUIT above for details.
526 3.12. SETROUTERPURPOSE
528 Sent from the client to the server. The format is:
529 "SETROUTERPURPOSE" SP NicknameOrKey SP Purpose CRLF
531 This changes the descriptor's purpose. See +POSTDESCRIPTOR below
536 Sent from the client to the server. The syntax is:
537 "ATTACHSTREAM" SP StreamID SP CircuitID CRLF
539 This message informs the server that the specified stream should be
540 associated with the specified circuit. Each stream may be associated with
541 at most one circuit, and multiple streams may share the same circuit.
542 Streams can only be attached to completed circuits (that is, circuits that
543 have sent a circuit status 'BUILT' event or are listed as built in a
544 GETINFO circuit-status request).
546 If the circuit ID is 0, responsibility for attaching the given stream is
549 Tor responds with "250 OK" if it can attach the stream, 552 if the circuit
550 or stream didn't exist, or 551 if the stream couldn't be attached for
553 {Implementation note: Tor will close unattached streams by itself,
554 roughly two minutes after they are born. Let the developers know if
555 that turns out to be a problem.}
557 {Implementation note: By default, Tor automatically attaches streams to
558 circuits itself, unless the configuration variable
559 "__LeaveStreamsUnattached" is set to "1". Attempting to attach streams
560 via TC when "__LeaveStreamsUnattached" is false may cause a race between
561 Tor and the controller, as both attempt to attach streams to circuits.}
563 {Implementation note: You can try to attachstream to a stream that
564 has already sent a connect or resolve request but hasn't succeeded
565 yet, in which case Tor will detach the stream from its current circuit
566 before proceeding with the new attach request.}
570 Sent from the client to the server. The syntax is:
571 "+POSTDESCRIPTOR" ("purpose=" Purpose) CRLF Descriptor CRLF "." CRLF
573 This message informs the server about a new descriptor. If Purpose is
574 specified, it must be either "general" or "controller", else we
577 The descriptor, when parsed, must contain a number of well-specified
578 fields, including fields for its nickname and identity.
580 If there is an error in parsing the descriptor, the server must send a "554
581 Invalid descriptor" reply. If the descriptor is well-formed but the server
582 chooses not to add it, it must reply with a 251 message whose body explains
583 why the server was not added. If the descriptor is added, Tor replies with
588 Sent from the client to the server. The syntax is:
589 "REDIRECTSTREAM" SP StreamID SP Address (SP Port) CRLF
591 Tells the server to change the exit address on the specified stream. If
592 Port is specified, changes the destination port as well. No remapping
593 is performed on the new provided address.
595 To be sure that the modified address will be used, this event must be sent
596 after a new stream event is received, and before attaching this stream to
599 Tor replies with "250 OK" on success.
603 Sent from the client to the server. The syntax is:
605 "CLOSESTREAM" SP StreamID SP Reason *(SP Flag) CRLF
607 Tells the server to close the specified stream. The reason should be one
608 of the Tor RELAY_END reasons given in tor-spec.txt, as a decimal. Flags is
609 not used currently; Tor servers SHOULD ignore unrecognized flags. Tor may
610 hold the stream open for a while to flush any data that is pending.
612 Tor replies with "250 OK" on success, or a 512 if there aren't enough
613 arguments, or a 552 if it doesn't recognize the StreamID or reason.
618 CLOSECIRCUIT SP CircuitID *(SP Flag) CRLF
621 Tells the server to close the specified circuit. If "IfUnused" is
622 provided, do not close the circuit unless it is unused.
624 Other flags may be defined in the future; Tor SHOULD ignore unrecognized
627 Tor replies with "250 OK" on success, or a 512 if there aren't enough
628 arguments, or a 552 if it doesn't recognize the CircuitID.
632 Tells the server to hang up on this controller connection. This command
633 can be used before authenticating.
639 "USEFEATURE" *(SP FeatureName) CRLF
640 FeatureName = 1*(ALPHA / DIGIT / "_" / "-")
642 Sometimes extensions to the controller protocol break compatibility with
643 older controllers. In this case, whenever possible, the extensions are
644 first included in Tor disabled by default, and only enabled on a given
645 controller connection when the "USEFEATURE" command is given. Once a
646 "USEFEATURE" command is given, it applies to all subsequent interactions on
647 the same connection; to disable an enabled feature, a new controller
648 connection must be opened.
650 This is a forward-compatibility mechanism; each feature will eventually
651 become a regular part of the control protocol in some future version of Tor.
652 Tor will ignore a request to use any feature that is already on by default.
653 Tor will give a "552" error if any requested feature is not recognized.
655 Feature names are case-insensitive.
659 Same as passing 'EXTENDED' to SETEVENTS; this is the preferred way to
660 request the extended event syntax.
662 This will not be always-enabled until at least XXX (or, at least two
663 stable releases after XXX, the release where it was first used for
668 Instead of ServerID as specified above, the controller should
669 identify ORs by LongName in events and GETINFO results. This format is
670 strictly more informative: rather than including Nickname for
671 known Named routers and Fingerprint for unknown or unNamed routers, the
672 LongName format includes a Fingerprint, an indication of Named status,
673 and a Nickname (if one is known).
675 This will not be always-enabled until at least 0.1.4.x (or at least two
676 stable releases after 0.1.2.2-alpha, the release where it was first
681 Reply codes follow the same 3-character format as used by SMTP, with the
682 first character defining a status, the second character defining a
683 subsystem, and the third designating fine-grained information.
685 The TC protocol currently uses the following first characters:
687 2yz Positive Completion Reply
688 The command was successful; a new request can be started.
690 4yz Temporary Negative Completion reply
691 The command was unsuccessful but might be reattempted later.
693 5yz Permanent Negative Completion Reply
694 The command was unsuccessful; the client should not try exactly
695 that sequence of commands again.
697 6yz Asynchronous Reply
698 Sent out-of-order in response to an earlier SETEVENTS command.
700 The following second characters are used:
703 Sent in response to ill-formed or nonsensical commands.
706 Refers to operations of the Tor Control protocol.
709 Refers to actual operations of Tor system.
711 The following codes are defined:
714 251 Operation was unnecessary
715 [Tor has declined to perform the operation, but no harm was done.]
717 451 Resource exhausted
719 500 Syntax error: protocol
721 510 Unrecognized command
722 511 Unimplemented command
723 512 Syntax error in command argument
724 513 Unrecognized command argument
725 514 Authentication required
726 515 Bad authentication
728 550 Unspecified Tor error
731 [Something went wrong inside Tor, so that the client's
732 request couldn't be fulfilled.]
734 552 Unrecognized entity
735 [A configuration key, a stream ID, circuit ID, event,
736 mentioned in the command did not actually exist.]
738 553 Invalid configuration value
739 [The client tried to set a configuration option to an
740 incorrect, ill-formed, or impossible value.]
742 554 Invalid descriptor
746 650 Asynchronous event notification
748 Unless specified to have specific contents, the human-readable messages
749 in error replies should not be relied upon to match those in this document.
751 4.1. Asynchronous events
753 These replies can be sent after a corresponding SETEVENTS command has been
754 received. They will not be interleaved with other Reply elements, but they
755 can appear between a command and its corresponding reply. For example,
756 this sequence is possible:
760 C: GETCONF SOCKSPORT ORPORT
761 S: 650 CIRC 1000 EXTENDED moria1,moria2
762 S: 250-SOCKSPORT=9050
765 But this sequence is disallowed:
768 C: GETCONF SOCKSPORT ORPORT
769 S: 250-SOCKSPORT=9050
770 S: 650 CIRC 1000 EXTENDED moria1,moria2
773 Clients MUST tolerate more arguments in an asynchonous reply than
774 expected, and MUST tolerate more lines in an asynchronous reply than
775 expected. For instance, a client that expects a CIRC message like:
776 650 CIRC 1000 EXTENDED moria1,moria2
778 650-CIRC 1000 EXTENDED moria1,moria2 0xBEEF
782 If clients ask for extended events, then each event line as specified below
783 will be followed by additional extensions. Additional lines will be of the
785 "650" ("-"/" ") KEYWORD ["=" ARGUMENTS] CRLF
786 Additional arguments will be of the form
787 SP KEYWORD ["=" ( QuotedString / * NonSpDquote ) ]
788 Such clients MUST tolerate lines with keywords they do not recognize.
790 4.1.1. Circuit status changed
794 "650" SP "CIRC" SP CircuitID SP CircStatus [SP Path]
795 [SP "REASON=" Reason [SP "REMOTE_REASON=" Reason]] CRLF
798 "LAUNCHED" / ; circuit ID assigned to new circuit
799 "BUILT" / ; all hops finished, can now accept streams
800 "EXTENDED" / ; one more hop has been completed
801 "FAILED" / ; circuit closed (was not built)
802 "CLOSED" ; circuit closed (was built)
804 Path = ServerID *("," ServerID)
806 Reason = "NONE" / "TORPROTOCOL" / "INTERNAL" / "REQUESTED" /
807 "HIBERNATING" / "RESOURCELIMIT" / "CONNECTFAILED" /
808 "OR_IDENTITY" / "OR_CONN_CLOSED" / "TIMEOUT" /
809 "FINISHED" / "DESTROYED" / "NOPATH" / "NOSUCHSERVICE"
811 The path is provided only when the circuit has been extended at least one
814 The "REASON" field is provided only for FAILED and CLOSED events, and only
815 if extended events are enabled (see 3.19). Clients MUST accept reasons
816 not listed above. Reasons are as given in tor-spec.txt, except for:
818 NOPATH (Not enough nodes to make circuit)
820 The "REMOTE_REASON" field is provided only when we receive a DESTROY or
821 TRUNCATE cell, and only if extended events are enabled. It contains the
822 actual reason given by the remote OR for closing the circuit. Clients MUST
823 accept reasons not listed above. Reasons are as listed in tor-spec.txt.
825 4.1.2. Stream status changed
829 "650" SP "STREAM" SP StreamID SP StreamStatus SP CircID SP Target
830 [SP "REASON=" Reason [ SP "REMOTE_REASON=" Reason ]] CRLF
833 "NEW" / ; New request to connect
834 "NEWRESOLVE" / ; New request to resolve an address
835 "SENTCONNECT" / ; Sent a connect cell along a circuit
836 "SENTRESOLVE" / ; Sent a resolve cell along a circuit
837 "SUCCEEDED" / ; Received a reply; stream established
838 "FAILED" / ; Stream failed and not retriable
839 "CLOSED" / ; Stream closed
840 "DETACHED" ; Detached from circuit; still retriable
842 Target = Address ":" Port
844 The circuit ID designates which circuit this stream is attached to. If
845 the stream is unattached, the circuit ID "0" is given.
847 Reason = "MISC" / "RESOLVEFAILED" / "CONNECTREFUSED" /
848 "EXITPOLICY" / "DESTROY" / "DONE" / "TIMEOUT" /
849 "HIBERNATING" / "INTERNAL"/ "RESOURCELIMIT" /
850 "CONNRESET" / "TORPROTOCOL" / "NOTDIRECTORY" / "END"
852 The "REASON" field is provided only for FAILED, CLOSED, and DETACHED
853 events, and only if extended events are enabled (see 3.19). Clients MUST
854 accept reasons not listed above. Reasons are as given in tor-spec.txt,
857 END (We received a RELAY_END cell from the other side of thise
860 The "REMOTE_REASON" field is provided only when we receive a RELAY_END
861 cell, and only if extended events are enabled. It contains the actual
862 reason given by the remote OR for closing the stream. Clients MUST accept
863 reasons not listed above. Reasons are as listed in tor-spec.txt.
865 4.1.3. OR Connection status changed
868 "650" SP "ORCONN" SP (ServerID / Target) SP ORStatus [ SP "REASON="
869 Reason ] [ SP "NCIRCS=" NumCircuits ]
871 ORStatus = "NEW" / "LAUNCHED" / "CONNECTED" / "FAILED" / "CLOSED"
873 NEW is for incoming connections, and LAUNCHED is for outgoing
874 connections. CONNECTED means the TLS handshake has finished (in
875 either direction). FAILED means a connection is being closed that
876 hasn't finished its handshake, and CLOSED is for connections that
879 A ServerID is specified unless it's a NEW connection, in which
880 case we don't know what server it is yet, so we use Address:Port.
882 If extended events are enabled (see 3.19), optional reason and
883 circuit counting information is provided for CLOSED and FAILED
886 Reason = "MISC" / "DONE" / "CONNECTREFUSED" /
887 "IDENTITY" / "CONNECTRESET" / "TIMEOUT" / "NOROUTE" /
890 NumCircuits counts both established and pending circuits.
893 4.1.4. Bandwidth used in the last second
896 "650" SP "BW" SP BytesRead SP BytesWritten *(SP Type "=" Num)
898 BytesWritten = 1*DIGIT
899 Type = "DIR" / "OR" / "EXIT" / "APP" / ...
902 BytesRead and BytesWritten are the totals. In Tor 0.1.x.y-alpha
903 and later, we also include a breakdown of the connection types
904 that used bandwidth this second (not implemented yet).
909 "650" SP Severity SP ReplyText
911 "650+" Severity CRLF Data
913 Severity = "DEBUG" / "INFO" / "NOTICE" / "WARN"/ "ERR"
915 4.1.6. New descriptors available
918 "650" SP "NEWDESC" 1*(SP ServerID)
920 4.1.7. New Address mapping
923 "650" SP "ADDRMAP" SP Address SP Address SP Expiry
924 Expiry = DQUOTE ISOTime DQUOTE / "NEVER"
926 Expiry is expressed as the local time (rather than GMT).
928 [XXX We should rename this to ADDRESSMAP. -RD]
930 [FFF We should add a SOURCE=%s argument for extended events,
931 which specifies what exit node told us this addressmap. -RD]
933 4.1.8. Descriptors uploaded to us in our role as authoritative dirserver
936 "650" "+" "AUTHDIR_NEWDESCS" CRLF Action CRLF Message CRLF
937 Descriptor CRLF "." CRLF
938 Action = "ACCEPTED" / "DROPPED" / "REJECTED"
941 4.1.9. Our descriptor changed
944 "650" SP "DESCCHANGED"
946 [First added in 0.1.2.2-alpha.]
948 4.1.10. Status events
950 Status events (STATUS_GENERAL, STATUS_CLIENT, and STATUS_SERVER) are sent
951 based on occurrences in the Tor process pertaining to the general state of
952 the program. Generally, they correspond to log messages of severity Notice
953 or higher. They differ from log messages in that their format is a
957 "650" SP StatusType SP StatusSeverity SP StatusAction
958 [SP StatusArguments] CRLF
960 StatusType = "STATUS_GENERAL" / "STATUS_CLIENT" / "STATUS_SERVER"
961 StatusSeverity = "NOTICE" / "WARN" / "ERR"
962 StatusAction = 1*ALPHA
963 StatusArguments = StatusArgument *(SP StatusArgument)
964 StatusArgument = StatusKeyword '=' StatusValue
965 StatusKeyword = 1*(ALNUM / "_")
966 StatusValue = 1*(ALNUM / '_') / QuotedString
968 Action is a string, and Arguments is a series of keyword=value
969 pairs on the same line. Values may be space-terminated strings,
972 These events are always produced with EXTENDED_EVENTS and
973 VERBOSE_NAMES; see the explanations in the USEFEATURE section
976 Controllers MUST tolerate unrecognized actions, MUST tolerate
977 unrecognized arguments, MUST tolerate missing arguments, and MUST
978 tolerate arguments that arrive in any order.
980 Each event description below is accompanied by a recommendation for
981 controllers. These recommendations are suggestions only; no controller
982 is required to implement them.
984 Actions for STATUS_GENERAL events can be as follows:
988 Tor spent enough time without CPU cycles that it has closed all
989 its circuits and will establish them anew. This typically
990 happens when a laptop goes to sleep and then wakes up again. It
991 also happens when the system is swapping so heavily that Tor is
992 starving. The "time" argument specifies the number of seconds Tor
993 thinks it was unconscious for (or alternatively, the number of
994 seconds it went back in time).
996 This status event is sent as NOTICE severity normally, but WARN
997 severity if Tor is acting as a server currently.
999 {Recommendation for controller: ignore it, since we don't really
1000 know what the user should do anyway. Hm.}
1004 "REASON=NEW/OLD/UNRECOMMENDED"
1005 "RECOMMENDED=\"version, version, ...\""
1006 Tor has found that directory servers don't recommend its version of
1007 the Tor software. RECOMMENDED is a comma-and-space-separated string
1008 of Tor versions that are recommended. REASON is NEW if this version
1009 of Tor is newer than any recommended version, OLD if this version of
1010 Tor is older than any recommended version, and UNRECOMMENDED if
1011 some recommended versions of Tor are newer and some are old than this
1014 {Controllers may want to suggest that the user upgrade OLD or
1015 UNRECOMMENDED versions. NEW versions may be known-insecure, or may
1016 simply be development versions.}
1018 TOO_MANY_CONNECTIONS
1020 Tor has reached its ulimit -n or whatever the native limit is on file
1021 descriptors or sockets. CURRENT is the number of sockets Tor
1022 currently has open. The user should really do something about
1023 this. The "current" argument shows the number of connections currently
1026 {Controllers may recommend that the user increase the limit, or
1027 increase it for them. Recommendations should be phrased in an
1028 OS-appropriate way and automated when possible.}
1032 Tor has encountered a situation that its developers never expected,
1033 and the developers would like to learn that it happened. Perhaps
1034 the controller can explain this to the user and encourage her to
1037 {Controllers should log bugs, but shouldn't annoy the user in case a
1038 bug appears frequently.}
1041 SKEW="+" / "-" SECONDS
1042 SOURCE="DIRSERV:IP:Port" / "NETWORKSTATUS:IP:PORT"
1043 If "SKEW" is present, it's an estimate of how far we are from the
1044 time declared in the source. If the source is a DIRSERV, we got
1045 the current time from a connection to a dirserver. If the source is
1046 a NETWORKSTATUS, we decided we're skewed because we got a
1047 networkstatus from far in the future.
1049 {Controllers may want to warn the user if the skew is high, or if
1050 multiple skew messages appear at severity WARN. Controllers
1051 shouldn't blindly adjust the clock, since the more accurate source
1052 of skew info (DIRSERV) is currently unauthenticated.}
1055 "METHOD=" libevent method
1056 "VERSION=" libevent version
1057 "BADNESS=" "BROKEN" / "BUGGY" / "SLOW"
1058 "RECOVERED=" "NO" / "YES"
1059 Tor knows about bugs in using the configured event method in this
1060 version of libevent. "BROKEN" libevents won't work at all;
1061 "BUGGY" libevents might work okay; "SLOW" libevents will work
1062 fine, but not quickly. If "RECOVERED" is YES, Tor managed to
1063 switch to a more reliable (but probably slower!) libevent method.
1065 {Controllers may want to warn the user if this event occurs, though
1066 generally it's the fault of whoever built the Tor binary and there's
1067 not much the user can do besides upgrade libevent or upgrade the
1071 Tor believes that none of the known directory servers are
1072 reachable -- this is most likely because the local network is
1073 down or otherwise not working, and might help to explain for the
1074 user why Tor appears to be broken.
1076 {Controllers may want to warn the user if this event occurs; further
1077 action is generally not possible.}
1079 Actions for STATUS_CLIENT events can be as follows:
1082 Tor now knows enough network-status documents and enough server
1083 descriptors that it's going to start trying to build circuits now.
1085 {Controllers may want to use this event to decide when to indicate
1086 progress to their users, but should not interrupt the user's browsing
1090 We discarded expired statuses and router descriptors to fall
1091 below the desired threshold of directory information. We won't
1092 try to build any circuits until ENOUGH_DIR_INFO occurs again.
1094 {Controllers may want to use this event to decide when to indicate
1095 progress to their users, but should not interrupt the user's browsing
1099 Tor is able to establish circuits for client use. This event will
1100 only be sent if we just built a circuit that changed our mind --
1101 that is, prior to this event we didn't know whether we could
1104 {Suggested use: controllers can notify their users that Tor is
1105 ready for use as a client once they see this status event. [Perhaps
1106 controllers should also have a timeout if too much time passes and
1107 this event hasn't arrived, to give tips on how to troubleshoot.
1108 On the other hand, hopefully Tor will send further status events
1109 if it can identify the problem.]}
1111 CIRCUIT_NOT_ESTABLISHED
1112 "REASON=" "EXTERNAL_ADDRESS" / "DIR_ALL_UNREACHABLE" / "CLOCK_JUMPED"
1113 We are no longer confident that we can build circuits. The "reason"
1114 keyword provides an explanation: which other status event type caused
1115 our lack of confidence.
1117 {Controllers may want to use this event to decide when to indicate
1118 progress to their users, but should not interrupt the user's browsing
1120 [Note: only REASON=CLOCK_JUMPED is implemented currently.]
1123 "PROTOCOL=SOCKS4/SOCKS5"
1125 A connection was made to Tor's SOCKS port using one of the SOCKS
1126 approaches that doesn't support hostnames -- only raw IP addresses.
1127 If the client application got this address from gethostbyname(),
1128 it may be leaking target addresses via DNS.
1130 {Controllers should warn their users when this occurs, unless they
1131 happen to know that the application using Tor is in fact doing so
1132 correctly (e.g., because it is part of a distributed bundle).}
1134 SOCKS_UNKNOWN_PROTOCOL
1136 A connection was made to Tor's SOCKS port that tried to use it
1137 for something other than the SOCKS protocol. Perhaps the user is
1138 using Tor as an HTTP proxy? The DATA is the first few characters
1139 sent to Tor on the SOCKS port.
1141 {Controllers may want to warn their users when this occurs: it
1142 indicates a misconfigured application.}
1145 "HOSTNAME=QuotedString"
1146 Some application gave us a funny-looking hostname. Perhaps
1147 it is broken? In any case it won't work with Tor and the user
1150 {Controllers may want to warn their users when this occurs: it
1151 usually indicates a misconfigured application.}
1153 Actions for STATUS_SERVER can be as follows:
1158 "METHOD=CONFIGURED/DIRSERV/RESOLVED/INTERFACE/GETHOSTNAME"
1159 Our best idea for our externally visible IP has changed to 'IP'.
1160 If 'HOSTNAME' is present, we got the new IP by resolving 'NAME'. If the
1161 method is 'CONFIGURED', the IP was given verbatim as a configuration
1162 option. If the method is 'RESOLVED', we resolved the Address
1163 configuration option to get the IP. If the method is 'GETHOSTNAME',
1164 we resolved our hostname to get the IP. If the method is 'INTERFACE',
1165 we got the address of one of our network interfaces to get the IP. If
1166 the method is 'DIRSERV', a directory server told us a guess for what
1169 {Controllers may want to record this info and display it to the user.}
1171 CHECKING_REACHABILITY
1173 "DIRADDRESS=IP:port"
1174 We're going to start testing the reachability of our external OR port
1177 {This event could effect the controller's idea of server status, but
1178 the controller should not interrupt the user to tell them so.}
1180 REACHABILITY_SUCCEEDED
1182 "DIRADDRESS=IP:port"
1183 We successfully verified the reachability of our external OR port or
1186 {This event could effect the controller's idea of server status, but
1187 the controller should not interrupt the user to tell them so.}
1189 GOOD_SERVER_DESCRIPTOR
1190 We successfully uploaded our server descriptor to each of the
1191 directory authorities, with no complaints.
1193 {This event could effect the controller's idea of server status, but
1194 the controller should not interrupt the user to tell them so.}
1198 "STATUS=" "UP" / "DOWN"
1200 One of our nameservers has changed status.
1203 {This event could effect the controller's idea of server status, but
1204 the controller should not interrupt the user to tell them so.}
1207 All of our nameservers have gone down.
1209 {This is a problem; if it happens often without the nameservers
1210 coming up again, the user needs to configure more or better
1214 Our DNS provider is providing an address when it should be saying
1215 "NOTFOUND"; Tor will treat the address as a synonym for "NOTFOUND".
1217 {This is an annoyance; controllers may want to tell admins that their
1218 DNS provider is not to be trusted.}
1221 Our DNS provider is giving a hijacked address instead of well-known
1222 websites; Tor will not try to be an exit node.
1224 {Controllers could warn the admin if the server is running as an
1225 exit server: the admin needs to configure a good DNS server.
1226 Alternatively, this happens a lot in some restrictive environments
1227 (hotels, universities, coffeeshops) when the user hasn't registered.}
1229 BAD_SERVER_DESCRIPTOR
1232 A directory authority rejected our descriptor. Possible reasons
1233 include malformed descriptors, incorrect keys, highly skewed clocks,
1236 {Controllers should warn the admin, and try to cope if they can.}
1238 ACCEPTED_SERVER_DESCRIPTOR
1240 A single directory authority accepted our descriptor.
1243 {This event could effect the controller's idea of server status, but
1244 the controller should not interrupt the user to tell them so.}
1248 "DIRADDRESS=IP:port"
1249 We failed to connect to our external OR port or directory port
1252 {This event could effect the controller's idea of server status. The
1253 controller should warn the admin and suggest reasonable steps to take.}
1255 4.1.11. Our set of guard nodes has changed
1258 "650" SP "GUARDS" SP Type SP Name SP Status ... CRLF
1260 Name = The (possibly verbose) nickname of the guard affected.
1261 Status = "NEW" | "UP" | "DOWN" | "BAD" | "GOOD" | "DROPPED"
1263 [explain states. XXX]
1265 4.1.12. Network status has changed
1268 "650" "+" "NS" CRLF 1*NetworkStatus "." CRLF
1270 [First added in 0.1.2.3-alpha]
1272 5. Implementation notes
1276 By default, the current Tor implementation trusts all local users.
1278 If the 'CookieAuthentication' option is true, Tor writes a "magic cookie"
1279 file named "control_auth_cookie" into its data directory. To authenticate,
1280 the controller must send the contents of this file, encoded in hexadecimal.
1282 If the 'HashedControlPassword' option is set, it must contain the salted
1283 hash of a secret password. The salted hash is computed according to the
1284 S2K algorithm in RFC 2440 (OpenPGP), and prefixed with the s2k specifier.
1285 This is then encoded in hexadecimal, prefixed by the indicator sequence
1286 "16:". Thus, for example, the password 'foo' could encode to:
1287 16:660537E3E1CD49996044A3BF558097A981F539FEA2F9DA662B4626C1C2
1288 ++++++++++++++++**^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1291 You can generate the salt of a password by calling
1292 'tor --hash-password <password>'
1293 or by using the example code in the Python and Java controller libraries.
1294 To authenticate under this scheme, the controller sends Tor the original
1295 secret that was used to generate the password.
1297 5.2. Don't let the buffer get too big.
1299 If you ask for lots of events, and 16MB of them queue up on the buffer,
1300 the Tor process will close the socket.
1302 5.3. Backward compatibility with v0 control protocol.
1304 For backward compatibility with the "version 0" control protocol, Tor checks
1305 whether the third octet the first command is zero. If it is, Tor
1306 assumes that version 0 is in use. This feature is deprecated, and will be
1307 removed in the 0.1.3.x Tor development series.
1309 In order to detect which version of the protocol is supported controllers
1310 should send the sequence [00 00 0D 0A]. This is a valid and unrecognized
1311 command in both protocol versions, and implementations can detect which
1312 error they have received.