[tor-bugs] #7139 [Tor]: Tor involuntarily sets TLS session tickets

Thu Oct 18 10:21:37 UTC 2012

#7139: Tor involuntarily sets TLS session tickets
-----------------------------------+----------------------------------------
    Reporter:  nextgens            |        Type:  defect                        
      Status:  needs_review        |    Priority:  major                         
   Milestone:  Tor: 0.2.2.x-final  |   Component:  Tor                           
     Version:                      |    Keywords:  tor-relay ssl tls security pfs
      Parent:                      |      Points:                                
Actualpoints:                      |  
-----------------------------------+----------------------------------------

Comment(by nextgens):

 Let me rephrase the above as it might not have been clear enough:

 If you assume that the key material used to encrypt the tickets is swapped
 out to disk, you have a security problem whereby you've lost PFS. A
 potential attacker in possession of both the ciphertext AND the leaked key
 material (network traffic capture + swapfile) can recover the plaintext by
 decrypting the session ticket.

 Openssl will generate ephemeral, random, per session keys to encrypt the
 ticket unless tlsext_ticket_key_cb is set (Tor doesn't set it) and stores
 them in the session cache (that Tor explicitly disables). The code related
 to this is in ssl3_send_newsession_ticket... Bottom line is, the keys are
 in memory and might end up on disk...

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7139#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online