[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #4587 [Tor Client]: Bugs in tor_tls_got_client_hello()
#4587: Bugs in tor_tls_got_client_hello()
------------------------+---------------------------------------------------
Reporter: Sebastian | Owner:
Type: defect | Status: needs_review
Priority: normal | Milestone: Tor: 0.2.3.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by asn):
OK, I've been doing some tests with `master` plus `0452f34e` plus
`103d5ef3` plus:
{{{
diff --git a/src/common/tortls.c b/src/common/tortls.c
index b4d81de..8507069 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1580,7 +1580,6 @@ tor_tls_set_renegotiate_callbacks(tor_tls_t *tls,
tls->excess_renegotiations_callback = cb2;
tls->callback_arg = arg;
tls->got_renegotiate = 0;
- SSL_set_info_callback(tls->ssl, tor_tls_state_changed_callback);
}
/** If this version of openssl requires it, turn on renegotiation on
@@ -1784,7 +1783,6 @@ tor_tls_finish_handshake(tor_tls_t *tls)
{
int r = TOR_TLS_DONE;
if (tls->isServer) {
- SSL_set_info_callback(tls->ssl, NULL);
SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
/* There doesn't seem to be a clear OpenSSL API to clear mode flags.
*/
tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN;
}}}
Preliminary testing shows it to work. Bufferevent/non\ bufferevent
version, successfully rate-limits renegotiations, does not crash with the
DoS tool [0], and completes v1/v2/v3 handshake.
I haven't found a way to send two ClientHellos, but I was thinking of
trying an MS IE version that supports SGC and pointing it to a relay. We
still '''haven't''' fixed the fact that `server_handshake_count` is
incorrect (but see comment:12 for an idea that a quick browsing of the
OpenSSL code seems to support, but I haven't had the time to test it or
look at the `ssl3_accept()` thoroughly.)
Please test more before merging anything, and don't be afraid of pulling
the whole code out of `master` if you don't have enough time.
[0]:
I'm stress testing by doing:
`thc-ssl-dosit() { while :; do (while :; do echo R; done) | openssl
s_client -msg -connect 127.0.0.1:6666 2>/dev/null; done }`
and then calling `thc-ssl-dosit`, as suggested in http://www.thc.org/thc-
ssl-dos/. You can also try the tool itself.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4587#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs