[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #21152 [Core Tor/Tor]: "connections died in state handshaking (TLS) with SSL state SSLv3" sure makes it look like we're using SSLv3
#21152: "connections died in state handshaking (TLS) with SSL state SSLv3" sure
makes it look like we're using SSLv3
--------------------------+---------------------------
Reporter: arma | Owner:
Type: defect | Status: closed
Priority: Medium | Milestone:
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution: not a bug
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------+---------------------------
Changes (by yawning):
* status: new => closed
* resolution: => not a bug
Comment:
> So, are the handshakes using SSLv3, or are they not? :)
OpenSSL prior to 1.1.0 uses `ssl3_connect()` to do the actual connection
work, even if you are using TLS (See: `ssl/t1_clnt.c`). OpenSSL 1.1.0 and
later renames and refactors everything, and will display `SSLv3/TLS read
server certificate` here instead.
> I assume this is just a cosmetic issue where SSL_state_string_long()
lies to us.
Indeed. And there's nothing we can do about it.
> But who knows, maybe there is something deeper going on?
{{{
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
}}}
If people are really worried, they can gather a pcap containing the
ClientHello and look at the version while keeping in mind Appendix E of
the RFC.
Since this is cosmetic, OpenSSL's fault, and fixed in newer OpenSSL, I'm
going to close this. Reopen it once someone produces a pcap displaying
horrifyingly wrong behavior.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21152#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs