[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and Openssl on old OSX [was Tor and Openssl bug CVE-2014-0160]

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Tor and Openssl on old OSX [was Tor and Openssl bug CVE-2014-0160]
From: Geoff Down <geoffdown@xxxxxxxxxxxx>
Date: Tue, 08 Apr 2014 22:06:31 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 08 Apr 2014 17:08:11 -0400
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.net; h= message-id:from:to:mime-version:content-transfer-encoding :content-type:in-reply-to:references:subject:date; s=mesmtp; bh= nq1rJzg0S+GFjyMZOVpS/wMiAnw=; b=NTFIKV/rbk5/AQ9an+ZEAjO0O7dNHiWR kSl2sioiBmpSCNy0nkvQPBRSRR+AD8Bu4lCwHkgM2UcSQm07mDfe6K/dxA1Nw2fb BEbuWnn67vYvBdtc1ZrQ+mp9UYe5skdNxDeXg7grchMbVMx0/2SizD8GuTg+yRIg 6WoZS3wnlsI=
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:in-reply-to:references :subject:date; s=smtpout; bh=nq1rJzg0S+GFjyMZOVpS/wMiAnw=; b=bDk OFSOAeEmgLJ2bzgV8IILT5qyTwK9aQ7uAmJWHK9Z/mzOYRozZevN/dshDybefyva WdRFWCjuI/xObS4CyViM0rnyvA0/QfXMr7+KpbfYn3XkFYWpH82sGXNQXSzrKCmV /R/yJOcVs7wQ/rZeMz74UrQH6uqZY/7JvX76CFhU=
In-reply-to: <20140408171316.GH13674@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20140407231747.GH22584@xxxxxxxxxxxxxx> <1396922166.18015.103913225.2F40F147@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <CAEydrT8QhtQ_1=rTF3oH_bkLjybQeNPuAENmiQ9ZH5FGghE_Hw@xxxxxxxxxxxxxx> <1396960261.14581.104070685.0D260E8B@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <20140408171316.GH13674@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi Andreas
On Tue, Apr 8, 2014, at 06:13 PM, Andreas Krey wrote:
> On Tue, 08 Apr 2014 13:31:01 +0000, Geoff Down wrote:
> > b) if some other object, where is it in OSX10.4 and how do I check the
> > version
> 
> That depends on whether your tor binary is build with shared libraries;
> 'otool -L path/to/your/tor' will show which libraries it uses.
/library/tor/bin/tor:
        /opt/local/lib/libz.1.dylib (compatibility version 1.0.0,
        current version 1.2.5)
        /opt/local/lib/libevent-2.0.5.dylib (compatibility version
        7.0.0, current version 7.4.0)
        /opt/local/lib/libssl.1.0.0.dylib (compatibility version 1.0.0,
        current version 1.0.0)
        /opt/local/lib/libcrypto.1.0.0.dylib (compatibility version
        1.0.0, current version 1.0.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
        version 88.1.12)

libssl==openssl? If so, not vulnerable

> 
> (Apart from that the Macos libraryes may be patched by apple
> from the original openssl.org versions.)
> 
> > c) if the version is a vulnerable one, how do I update it
> > ? 
> 
> Install new versions of the openssl libs as soon as apple provides
> them when you use the ones from the system.

 Not a supported OS any more.

> Then you (probably)
> need to recompile tor itself and make sure that it references the
> proper version of openssl libraries.
> 
> tor, when started, also tells the openssl version in the first message.

 Not any more, apparently, at Notice level. At Info level though:
[info] tor_tls_init(): OpenSSL OpenSSL 1.0.0g 18 Jan 2012 looks like
version 0.9.8m or later; I will try SSL_OP to enable renegotiation
 Looks promising.

> 
> You may also download and compile openssl yourself and link
> against that version, but I can't just write down how to
> do that - there are some macos specials to find out to do
> that, and I didn't yet.
> 

Thanks for this much help anyway :)

-- 
http://www.fastmail.fm - The professional email service

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Tor and Openssl on old OSX [was Tor and Openssl bug CVE-2014-0160]
  - From: Andreas Krey

References:
- [tor-talk] Tor and Openssl bug CVE-2014-0160
  - From: Roger Dingledine
- Re: [tor-talk] Tor and Openssl bug CVE-2014-0160
  - From: Geoff Down
- Re: [tor-talk] Tor and Openssl bug CVE-2014-0160
  - From: kendrick eastes
- Re: [tor-talk] Tor and Openssl bug CVE-2014-0160
  - From: Geoff Down
- Re: [tor-talk] Tor and Openssl bug CVE-2014-0160
  - From: Andreas Krey

Prev by Author: Re: [tor-talk] Tor and Openssl bug CVE-2014-0160
Next by Author: Re: [tor-talk] Does Tor need to be recompiled *after* the opensslupdate?
Previous by thread: Re: [tor-talk] Tor and Openssl bug CVE-2014-0160
Next by thread: Re: [tor-talk] Tor and Openssl on old OSX [was Tor and Openssl bug CVE-2014-0160]
Index(es):
- Author
- Thread