[tor-bugs] #7070 [Tor]: tor disables the SSLv3 for OpenSSL 1.0.0j

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Oct 10 03:35:03 UTC 2012


#7070: tor disables the SSLv3 for OpenSSL 1.0.0j
--------------------+-------------------------------------------------------
 Reporter:  kukabu  |          Owner:       
     Type:  defect  |         Status:  new  
 Priority:  normal  |      Milestone:       
Component:  Tor     |        Version:       
 Keywords:          |         Parent:  #4822
   Points:          |   Actualpoints:       
--------------------+-------------------------------------------------------

Comment(by nickm):

 Okay, this is a problem that we have with Fedora perpetually.  Within each
 Fedora release, they freeze the OpenSSL version number reported by
 SSLeay() and by OPENSSL_VERSION_NUMBER, even when they upgrade to a newer
 OpenSSL.  So even though you have "1.0.0j" according to the human-readable
 version string, it's calling itself an alpha or beta version of OpenSSL
 1.0.0, and Tor can'd tell that it's really been upgraded.

 I'm not sure what the right behavior is here, but I think our best bet
 might be to just treat this as Fedora being Fedora, and accept that we
 will sometimes mistake a Fedora openssl for an older one than it really
 is.  Other approaches -- like testing for the presence of the bug at
 runtime, or trying to parse the human-readable version string -- seem like
 they would be error-prone too, just in different ways.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7070#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list