[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

more on openssl 1.0.0 problem



     I just saw the following item on the freebsd-ports mailing list that
may have some bearing upon the failure of tor to work with openssl 1.0.0
on FreeBSD 7.3-STABLE, while the same tor works fine with openssl 0.9.8n.
Note that what I observed with openssl 1.0.0 was that incoming connections
were received, but were then almost immediately closed down.  The directory
authorities were apparently unable to establish connectivity beyond that
point with my relay either, so they never distributed its descriptor or any
entry for it in the consensus.  The following item may therefore be of some
interest to the tor development team.

 Date: Mon, 03 May 2010 20:03:53 +0200
 From: Matthias Andree <mandree@xxxxxxxxxxx>
 Subject: Re: OpenSSL 1.0.0 Gotcha - Certificate Hashes are Different
 To: freebsd-ports@xxxxxxxxxxx
 Cc: dinoex@xxxxxxxxxxx
 Message-ID: <4BDF1009.3020300@xxxxxxxxxxx>
 Content-Type: text/plain; charset=ISO-8859-15
 
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
 Am 01.05.2010 05:16, schrieb John Marshall:
 > I just spent quite a while trying to figure out what broke SSL
 > certificate verification in my irc client after taking some brave pills
 > and updating ports on my notebook.
 > 
 > It turns out that OpenSSL 1.0.0 hashes certificates differently to
 > earlier versions.  That meant that applications looking in my
 > /usr/local/openssl/certs directory couldn't find hashes for CA
 > certificates because the hash links had been created with OpenSSL 0.9.8.
 > 
 > From the CHANGES file in the root of the OpenSSL 1.0.0 distribution:
 > 
 >   "Enhance the hash format used for certificate directory links. The new
 >    form uses the canonical encoding (meaning equivalent names will work
 >    even if they aren't identical) and uses SHA1 instead of MD5. This form
 >    is incompatible with the older format and as a result c_rehash should
 >    be used to rebuild symbolic links.
 >    [Steve Henson]"
 > 
 > So, that's good to know but here's the really fun bit.  Just running
 > c_rehash won't fix it if you have openssl in the base system - because
 > it picks up /usr/bin/openssl (old version, old hashes).  The
 > /usr/local/bin/c_rehash script relies on an environment variable to
 > point it at anything other than the base openssl.  So, if I set
 > OPENSSL=/usr/local/bin/openssl in the environment and then run c_rehash,
 > I get the "new" hashes and stuff works again.
 > 
 
 (cc'ing Dirk who maintains the OpenSSL port - consider taking the patch
 linked below)
 
 I reported this - along with proposed fixes - to OpenSSL a couple of
 days ago, however there does not seem to be a 1.0.0a yet.
 
 (username and password "guest")
 
 Report: <http://rt.openssl.org/Ticket/Display.html?id=2234>
 
 Deep link to patch:
 <http://rt.openssl.org/Ticket/Attachment/26716/13060/openssl-1.0.0-fix-c_rehash.patch>
 
 
 HTH
 Matthias
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.14 (FreeBSD)
 
 iEYEARECAAYFAkvfEAkACgkQvmGDOQUufZWnwQCgllN15Dzm2E5gQcTJOx4xlBvw
 2+oAniPTLC32IBTBAAaC9+noMZHybGPQ
 =U4UG
 -----END PGP SIGNATURE-----
 
 
 ------------------------------


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************