On Sat, 01 Aug 2015 13:06:55 -0400 starlight.2015q2@xxxxxxxxxxx wrote: > >Bug: Assertion r == 0 failed in crypto_generate_dynamic_dh_modulus > >at ../src/common/crypto.c:1788. > > > > Looks like you have DynamicDHGroups enabled > in your torrc file. Yes. Don't use it. It's kind of pointless since it only affects TLS cyphersuites that shouldn't get negotiated in the first place. > This is interesting because the recent > LogJam research indicates the NSA > has probably broken commonly used 1024 > bit DH groups, which suggests turning > on this parameter. Sigh. There's no point because any sensible build of Tor will negotiate ECDHE over DHE when doing the TLS handshake (which is the only thing this option applies to). Note: "any sensible build" basically is anything moderately recent, linked against OpenSSL >= 1.0.0 (If your vendor OpenSSL is older than that, 0.2.7.2-alpha and later will refuse to build, so users may as well start thinking of a migration path.). > However it was disabled by default some > time ago for anti-fingerprinting reasons: > > https://trac.torproject.org/projects/tor/ticket/5598 The feature is flat out deprecated in 0.2.7.1-alpha and later, in the "The code that implemented it was removed" sense of "deprecated". https://trac.torproject.org/projects/tor/ticket/13736 > AND, it's probably a moot issue now that Ntor > handshakes (elliptic curve) have overtaken > older RSA connections. This has nothing to do with TAP vs ntor, and only affects TLS. -- Yawning Angel
Attachment:
pgpXXIyLwmIeO.pgp
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays