> Date: Tue, 26 May 2015 09:25:22 -0400 > From: Nick Mathewson <nickm@xxxxxxxxxxxxxx> > > I posted this on a blog comment, but others may be interested too. > > > As near as I can tell, the "logjam"/"weakdh" attacks should not affect > current Tor software very much, for a few reasons: > > * All currently supported Tor versions, when built with OpenSSL 1.0 or > later, prefer 256-bit elliptic-curve Diffie Hellman for their TLS > connections, not the 1024-bit Diffie Hellman over Z_p as discussed in > this paper. > > â > > Recommendations: > > â > > * If you're running OpenSSL 0.9.8 or earlier, you should consider upgrading > to 1.0.0 or later. (Mac) OS X Yosemite 10.10 and earlier ship with OpenSSL 0.9.8 and 0.9.7. For Yosemite 10.10.3 (14D136) in particular, these are: $ ls -l /usr/lib/libssl.* -rwxr-xr-x 1 root wheel 400608 10 Sep 2014 /usr/lib/libssl.0.9.7.dylib -rwxr-xr-x 1 root wheel 616512 20 Mar 13:16 /usr/lib/libssl.0.9.8.dylib lrwxr-xr-x 1 root wheel 18 28 Jan 23:16 /usr/lib/libssl.dylib -> libssl.0.9.8.dylib $ strings /usr/lib/libssl.0.9.8.dylib | grep "OpenSSL 0.9.8" OpenSSL 0.9.8zd 8 Jan 2015 â $ strings /usr/lib/libssl.0.9.7.dylib | grep "OpenSSL 0.9.7" â OpenSSL 0.9.7l 28 Sep 2006 â (As an aside, please avoid running strings on any untrusted binaries.) While it's possible to build or install OpenSSL 1.0 or 1.1 on OS X, it's not the default. How does this affect Tor and/or Tor Browser on OS X? teor teor2345 at gmail dot com pgp 0xABFED1AC https://gist.github.com/teor2345/d033b8ce0a99adbc89c5 teor at blah dot im OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev