New Release Candidate: Tor

by nickm | November 15, 2019

There's a new release candidate available for download. If you build Tor from source, you can download the source code for from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely by December 3.

Remember, this is a release candidate: there may still be more bugs here than usual. We'd love to know about any new ones, so that we can try to get them fixed before we call this series stable.

Tor is the first release candidate in its series. It fixes several bugs from earlier versions, including a few that would result in stack traces or incorrect behavior.

Changes in version - 2019-11-15

  • Minor features (build system):
    • Make pkg-config use --prefix when cross-compiling, if PKG_CONFIG_PATH is not set. Closes ticket 32191.
  • Minor features (geoip):
    • Update geoip and geoip6 to the November 6 2019 Maxmind GeoLite2 Country database. Closes ticket 32440.


  • Minor bugfixes (client, onion service v3):
    • Fix a BUG() assertion that occurs within a very small race window between when a client intro circuit opens and when its descriptor gets cleaned up from the cache. The circuit is now closed early, which will trigger a re-fetch of the descriptor and continue the connection. Fixes bug 28970; bugfix on
  • Minor bugfixes (code quality):
    • Fix "make check-includes" so it runs correctly on out-of-tree builds. Fixes bug 31335; bugfix on
  • Minor bugfixes (configuration):
    • Log the option name when skipping an obsolete option. Fixes bug 32295; bugfix on
  • Minor bugfixes (crash):
    • When running Tor with an option like --verify-config or --dump-config that does not start the event loop, avoid crashing if we try to exit early because of an error. Fixes bug 32407; bugfix on
  • Minor bugfixes (directory):
    • When checking if a directory connection is anonymous, test if the circuit was marked for close before looking at its channel. This avoids a BUG() stacktrace if the circuit was previously closed. Fixes bug 31958; bugfix on
  • Minor bugfixes (shellcheck):
    • Fix minor shellcheck errors in the git-*.sh scripts. Fixes bug 32402; bugfix on
    • Start checking most scripts for shellcheck errors again. Fixes bug 32402; bugfix on
  • Testing (continuous integration):
    • Use Ubuntu Bionic images for our Travis CI builds, so we can get a recent version of coccinelle. But leave chutney on Ubuntu Trusty, until we can fix some Bionic permissions issues (see ticket 32240). Related to ticket 31919.
    • Install the mingw OpenSSL package in Appveyor. This makes sure that the OpenSSL headers and libraries match in Tor's Appveyor builds. (This bug was triggered by an Appveyor image update.) Fixes bug 32449; bugfix on
    • In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.


Please note that the comment area below has been archived.

November 17, 2019


Read the DDOS fix was coming in 4.2 no mention of it. Is the fix still planned for this? How can onion operators use it when it is added

I don't think there is something like "the DDOS" fix. There a a multitude of denial-of-service attacks feasible against the Tor network. As a result there has been a stream of mitigations against denial-of-service attacks in recent versions of Tor and not just in 0.4.2.

However, there is a major DoS defense included in 0.4.2 to mitigate attacks against onion services. Perhaps, you meant this defense. Since this blog is only about the latest alpha release in the 0.4.2 series (i.e changes since, you can't find anything about it in this post. To get a complete picture of all changes within the 0.4.2 series, check out the release notes of the earlier alpha releases. In particular should be of interest. Details about fine-tuning the defense can be found in the manpages.

Downloading the r.c and with the aim to test it today do I need to add the DoS defense to torrc?

These - DoSCircuitCreationEnabled 0|1|auto, DoSCircuitCreationMinConnections, DoSCircuitCreationRate, DoSCircuitCreationBurst, DoSCircuitCreationDefenseType , DoSCircuitCreationDefenseTimePeriod N seconds|minutes|hours, DoSConnectionEnabled 0|1|auto, DoSConnectionMaxConcurrentCount NUM, DoSConnectionDefenseType NUM, DoSRefuseSingleHopClientRendezvous 0|1|auto

Aim is to help with DDoS attack against hidden service will I use them all and do I put them inside my torrc file ?

Those parameters do not apply to hidden service themselves. They only apply if you run a relay. The tor network currently enables some of them with some default values.

If you run a relay and you are unsure here, I would avoid setting any of them.

The hidden service specific DoS defenses are:

  • HiddenServiceEnableIntroDoSDefense
  • HiddenServiceEnableIntroDoSRatePerSec
  • HiddenServiceEnableIntroDoSBurstPerSec

November 20, 2019


Use Ubuntu Bionic images for our Travis CI builds, so we can get a recent version of coccinelle. But leave chutney on Ubuntu Trusty, until we can fix some Bionic permissions issues (see ticket 32240). Related to ticket 31919.

If those words were uttered only a short time ago, you'd be approached by men and woman in white coats.

Its a headscratcher still.

Note: Those guides are probably old. If you don't find your program there, search the web for how to torify it or connect it to Tor. In general, you configure a SocksPort in your torrc file and then configure your user-facing program to proxy through that local port or the default port, 9050 or 9150. Beware of your program or protocols possibly leaking data by not always connecting to that port.

November 21, 2019


One 'must' donate in order to avail of free unfettered onion flavoured Web access?
And if one, say, is unemployed or without finances etc...
What then?
Thanks in advance for expected non reply.


November 22, 2019


Thinking about businesses whose revenue either is made from web admins purchasing defenses or is in direct competition with the Tor network for privacy-minded customers who become fed up with captchas or perceived association with illegal behavior, I hope that Tor Project has mulled over the extent of exit relays that could be surreptitiously operated by such entities.

Consider that Shodan was discovered in 2016 running innocent-looking public NTP servers that harvested connection addresses, including private DNS-absent IPv6 addresses, to run port scans on them. It would be trivial to substitute NTP with tor, connection addresses with web destinations, and port scans with DoS or "unusual traffic from your network."…