[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor fails to build connections after FreeBSD security update



Roger Dingledine <arma@xxxxxxx> wrote:

> On Sat, Dec 05, 2009 at 07:36:13PM +0100, Hans Schnehl wrote:
> > On Sat, Dec 05, 2009 at 11:39:33AM -0500, Andrew Lewman wrote:
> > > Tor initiates a ssl renegotiate at the start of a circuit, the latest
> > > openssl breaks tor.  The fixes for this are currently in -alpha only.
> > > The 0.2.1.21-dev in git also contains the fix.  We're testing
> > > 0.2.2.6-alpha right now,
> > > https://blog.torproject.org/blog/tor-0226-alpha-released.  Please try
> > > 0.2.2.6-alpha and let us know if it works.
> > 
> > Tor version 0.2.2.6-alpha (git-1ee580407ccb9130) was where this
> > started. That's the current from the official download page now and
> > the one in the FreBSD ports.
> > Tried Tor version 0.2.2.6-alpha-dev (git-4afdb79051f7b1ca) from a
> > minute ago or so, fails with OpenSSL 0.9.8e, runs "sort of" with
> > 0.9.8.l but still gives the following: 
> 
> To make things more complex, while Tor 0.2.2.6-alpha has the workaround
> to handle the way that openssl 0.9.8l broke renegotiation, it looks
> like openssl 0.9.8m broke renegotiation in a new way. The upcoming
> 0.2.2.7-alpha (or current git head) aims to handle this new way.
> 
> So I'm not sure what your openssl 0.9.8e actually is. But perhaps it's
> 0.9.8e with backports from 0.9.8m, in which case moving to Tor's git
> head might help.

FreeBSD's OpenSSL patch disables session renegotiation without
offering the option to enable it. Moving to Tor's git head doesn't
help and openssl-0.9.8l has to be installed from ports.

Quoting the advisory:

|V.   Solution
|
|NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate
|SSL / TLS session parameters.  As a result, connections in which the other
|party attempts to renegotiate session parameters will break.  In practice,
|however, session renegotiation is a rarely-used feature, so disabling this
|functionality is unlikely to cause problems for most systems.

For some values of "most systems".

http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc
http://security.freebsd.org/patches/SA-09:15/ssl.patch

Fabian

Attachment: signature.asc
Description: PGP signature