Compatibility issue with OpenSSL 1.1.1a
Hi, folks! You should know that there is a compatibility issue between Tor and OpenSSL 1.1.1a, when TLS 1.3 is in use. Only OpenSSL 1.1.1a is affected; other OpenSSL versions are not. The effect here is that Tor relays using this version of OpenSSL will not be able to negotiate TLS 1.3 connections with one another. This is caused by a regression in OpenSSL 1.1.1a's implementation of tls13_hkdf_expand() function. For more information, see https://trac.torproject.org/projects/tor/ticket/28616 We're looking into possible mitigations. best wishes, -- Nick
I have run into this issue just now and iam curious if i can "just" downgrade back or if there is any other way to workaround? How does this affect my relay? Will it still be useable? Thx Am 28.11.2018 um 13:47 schrieb Nick Mathewson:
Hi, folks!
You should know that there is a compatibility issue between Tor and OpenSSL 1.1.1a, when TLS 1.3 is in use. Only OpenSSL 1.1.1a is affected; other OpenSSL versions are not. The effect here is that Tor relays using this version of OpenSSL will not be able to negotiate TLS 1.3 connections with one another.
This is caused by a regression in OpenSSL 1.1.1a's implementation of tls13_hkdf_expand() function. For more information, see https://trac.torproject.org/projects/tor/ticket/28616
We're looking into possible mitigations.
best wishes,
On Sat, Dec 1, 2018 at 8:40 PM Paul <paul@roteserver.de> wrote:
I have run into this issue just now and iam curious if i can "just" downgrade back or if there is any other way to workaround?
I think that it's okay to downgrade to 1.1.1 for Tor's purposes: the two security vulnerabilities fixed in 1.1.1a are about DSA and ECDSA, which Tor doesn't use. Also, you could use 1.1.0j if you prefer something patched.
How does this affect my relay? Will it still be useable?
It will be usable by anybody connecting to it with TLS up to 1.2, and by clients using TLS 1.3. Connections between your relay and other relays will fail if you are both upgraded to TLS 1.3.
Thank you for the anwer, but i am unable to find precompiled packages for 1.1.1 for debian. I am currently using buster and i could downgrade to 1.1.0j from stretch security. Can someone help me? Am 03.12.2018 um 02:09 schrieb Nick Mathewson:
On Sat, Dec 1, 2018 at 8:40 PM Paul <paul@roteserver.de> wrote:
I have run into this issue just now and iam curious if i can "just" downgrade back or if there is any other way to workaround?
I think that it's okay to downgrade to 1.1.1 for Tor's purposes: the two security vulnerabilities fixed in 1.1.1a are about DSA and ECDSA, which Tor doesn't use. Also, you could use 1.1.0j if you prefer something patched.
How does this affect my relay? Will it still be useable? It will be usable by anybody connecting to it with TLS up to 1.2, and by clients using TLS 1.3. Connections between your relay and other relays will fail if you are both upgraded to TLS 1.3.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Same problem here, relay down for this reason :(
Thank you for the anwer, but i am unable to find precompiled packages for 1.1.1 for debian.
I am currently using buster and i could downgrade to 1.1.0j from stretch security.
Can someone help me?
-- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
Add "deb http://security.debian.org/ stretch/updates main" to /etc/apt/sources.list.d/stretch.list apt-get update apt-get -t stretch install openssl remove /etc/apt/sources.list.d/stretch.list On Mon, Dec 03, 2018 at 07:31:55PM +0100, Paul wrote:
Thank you for the anwer, but i am unable to find precompiled packages for 1.1.1 for debian.
I am currently using buster and i could downgrade to 1.1.0j from stretch security.
Can someone help me?
downgrading the libssl1.1 destroys some of my packages like apache2 and also hinders nyx from starting (ImportError: /usr/lib/x86_64-linux-gnu/libssl.so.1.1: version `OPENSSL_1_1_1' not found (required by /usr/lib/python3.6/lib-dynload/_ssl.cpython-36m-x86_64-linux-gnu.so)) I will not be able to downgrade, so we need a fix soon please Am 06.12.2018 um 10:32 schrieb Emilian Ursu:
Add "deb http://security.debian.org/ stretch/updates main" to /etc/apt/sources.list.d/stretch.list apt-get update apt-get -t stretch install openssl remove /etc/apt/sources.list.d/stretch.list
On Mon, Dec 03, 2018 at 07:31:55PM +0100, Paul wrote:
Thank you for the anwer, but i am unable to find precompiled packages for 1.1.1 for debian.
I am currently using buster and i could downgrade to 1.1.0j from stretch security.
Can someone help me?
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
If you want to help test a workaround (disables TLS 1.3) for this issue see: https://github.com/torproject/tor/pull/625 Nick wrote (https://trac.torproject.org/projects/tor/ticket/28973#comment:2 ):
I expect that a few warnings will still happen with this branch: it waits for the bug to happen once before disabling TLS 1.3, by which point other TLS 1.3 connections may already be in progress.
-- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
participants (5)
-
Emilian Ursu -
Nick Mathewson -
nusenu -
Paul -
Petrusko