[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #4587 [Tor Client]: Bugs in tor_tls_got_client_hello()
#4587: Bugs in tor_tls_got_client_hello()
------------------------+---------------------------------------------------
Reporter: Sebastian | Owner:
Type: defect | Status: needs_review
Priority: normal | Milestone: Tor: 0.2.3.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by nickm_mobile):
Replying to [comment:6 asn]:
> FML. Fuck SGC as well, for ruining my 'One ClientHello per handshake'
mental assert.
>
> As a fix, going by troll's suggestion, should we add another flag to
`tor_tls_t` saying "Next ClientHello is a new handshake request."?
> It will be toggled ON by default, and it will get toggled OFF when we
increase the `server_handshake_count` at `tor_tls_got_client_hello()`. It
will be toggled ON again when we get to `SSL_ST_OK`. The
`server_handshake_count` will only be increased if the flag is ON.
>
> If the `SSL_ST_OK` state only occurs at the end of an SSL handshake, we
will only consider the first ClientHello as a handshake request, and count
handshakes (and renegotiations) correctly. I have '''not''' checked
OpenSSL's code to see if `SSL_ST_OK` appears only in the end of the SSL
handshake.
>
> What do the OpenSSL gurus think?
First, I'd like to know if the fix I suggested (branch bug 4587 in my
repo) works to address the issue stars is reporting above.
That done, I want to see if the TLS rfc actually allows multiple
clienthellos for any purpose othef than rengeotiations. If not, we should
call >2 clienthellos forbidden anyways, and just edit the log message to
be less dire. IM(basically unconsidered) opinion.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4587#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs