[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor fails to build connections after FreeBSD security update



Yes I am seeing this as well.
 I recently did the same thing on my home relay with the same end results as you.
I did not attempt to install ssl port though and am still trying to make it use the base ssl.
I de-installed the port and re-installed but saw the same errors you see still.
running FreeBSD 7.2-RELEASE-p5 #0: Thu Dec  3 22:36:36 EST 2009 (amd64) OpenSSL 0.9.8e 23 Feb 2007 with libevent 1.4.12 (if the version is relevant or not..)
Sounds like you are about two steps ahead of me though in tracking down the issue.

Likewise I'm glad I ran it here before I did it on the exit node..





On Sat, Dec 5, 2009 at 9:54 AM, Hans Schnehl <torvallenator@xxxxxxxxx> wrote:
Hi,


Due to several security advisories ther have been a few patches advised to
be  applied on  FreeBSD systems.
These are
FreeBSD-SA-09:15.ssl ,
FreeBSD-SA-09:16.rtld,
FreeBSD-SA-09:17.freebsd-update
FreeBSD-SA-09:15.ssl [REVISED]

FreeBSD-SA-09:15.ssl is to be found at
http://lists.freebsd.org/pipermail/freebsd-security-notifications/2009-December/000136.html
and notes:

[snip]]
NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate
SSL / TLS session parameters.  As a result, connections in which the other
party attempts to renegotiate session parameters will break.  In practice,
however, session renegotiation is a rarely-used feature, so disabling this
functionality is unlikely to cause problems for most systems.
[snip]

Well, so shall it be.
I rebuild world to 7.2-STABLE #0 r200100: Fri Dec  4 16:29, but  one may just
as well apply patches, see above.
After that Tor, runnig perfectly before the update, fails to build connections.
There are plenties of info level messages about failed TLS renegotiation, which
is just about what the above messages says (surprise!)

Tor is:
Tor version 0.2.2.6-alpha (git-1ee580407ccb9130), which is the default
tor-devel version available from the fbsd ports ,
the box is running 7.2-STABLE on i386.

Tor itself and libevent have been rebuild after the build.

The default Openssl version coming with the 7,2 basesystem is OpenSSL 0.9.8e,
now patched Tor fails to bootstrap ( messages like '...stuck at
85%').

I made Tor use the ports version, openssl-0.9.8l, and with that
Tor after all is able to build circuits, but only after a unusual
long time and complaining.
Tor though still fails to accept the StrictEntryNodes option, it can't connect to
the nodes listed under EntryNodes and therefore no circuits are build with
this option set.  (The nodes are up, but handled as being down)

THis happened on a box running Tor as a client. Don't really want that
to happen on a busy relay.

Anyone else seeing this?
Solutions apart from using openssl-0.9.8l ?
What did I possibly miss ?

Regards
Hans