On Thursday 12 November 2009 03:15:20 Nick Mathewson wrote: > On Wed, Nov 11, 2009 at 12:59:21PM -0500, Andrew S. Lists wrote: > > On 11/05/09 15:52, Nick Mathewson wrote: > > > On Thu, Nov 05, 2009 at 02:10:00PM -0500, Marcus Griep wrote: > > >> Don't know if any one else has seen or taken a look at this. I > > >> don't know if this affects Tor, though I believe that we do use > > >> certificate renegotiation in the protocol, and that is the entry > > >> vector for this particular vulnerability: > > > > > > FWIW, this doesn't affect Tor. The problem here is not > > > renegotiation per se; the problem is doing renegotiation, then > > > acting as though data sent _before_ the renegotiation were > > > authenticated with the rengotiated credentials. > > > > > > The Tor protocol isn't vulnerable here because 1) it doesn't > > > allow data to be sent before the renegotiation step, and 2) it > > > doesn't treat a renegotiation as authenticating previously > > > exchanged data (because there isn't any). > > > > The vulnerability itself might not effect Tor, but the OpenSSL > > workaround for this vulnerability of disabling renegotiation by > > default in 0.9.8l [1] might not play nice with a Tor > > implementation. > > Indeed it will not. We have a fix in svn to make the 0.2.1.x and > 0.2.2.x-alpha series both work correctly with OpenSSL 0.9.8l. With > any luck, we should get releases out before too long. Hi Nick, Would you mind releasing that updated version a.s.a.p. Tor doesn't work here at all anymore Regards, Erwin -- Erwin Lam (erwinlam@xxxxxx)
Attachment:
signature.asc
Description: This is a digitally signed message part.