[tor-bugs] #13816 [Tor]: tor SSL errors with LibreSSL on OS X 10.9
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Nov 22 14:20:01 UTC 2014
#13816: tor SSL errors with LibreSSL on OS X 10.9
-------------------------------------------------+-------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor:
Component: Tor | 0.2.???
Keywords: tor-relay tor-auth tor-client lorax | Version: Tor:
Parent ID: #13415 | 0.2.6.1-alpha
| Actual Points:
| Points:
-------------------------------------------------+-------------------------
Split from #13415:
'''Testing tor LibreSSL with Chutney'''
teor:
Once I get tor/LibreSSL to compile, the unit tests pass flawlessly.
But I see the following log entries in chutney clients, which I really
don't have any idea how to fix (I'm going to try boringssl next):
[notice] We weren't able to find support for all of the TLS ciphersuites
that we wanted to advertise. This won't hurt security, but it might make
your Tor (if run as a client) more easy for censors to block.
[notice] To correct this, use a version of OpenSSL built with none of its
ciphers disabled.
[info] TLS error while handshaking with "127.0.0.1": wrong cipher returned
(in SSL routines:SSL3_GET_SERVER_HELLO:SSLv3 read server hello B)
[info] int connection_tls_continue_handshake(or_connection_t *)(): tls
error [misc error]. breaking connection.
[info] void circuit_n_chan_done(channel_t *, int)(): Channel failed;
closing circ.
[info] void circuit_build_failed(origin_circuit_t *)(): Our circuit died
before the first hop with no connection
[info] void connection_ap_fail_onehop(const char *, cpath_build_state_t
*)(): Closing one-hop stream to '$<KEY>/127.0.0.1' because the OR conn
just failed.
[info] void connection_or_note_state_when_broken(or_connection_t *)():
Connection died in state 'handshaking (TLS) with SSL state SSLv3 read
server hello B in HANDSHAKE'
[info] void control_event_bootstrap_problem(const char *, int,
or_connection_t *)(): Problem bootstrapping. Stuck at 10%: Finishing
handshake with directory server. (DONE; DONE; count 8; recommendation
ignore)
[info] 8 connections have failed:
[info] 8 connections died in state handshaking (TLS) with SSL state SSLv3
read server hello B in HANDSHAKE
chutney routers are similar, with these extra lines on init:
[info] int crypto_global_init(int, const char *, const char *)(): NOT
using OpenSSL engine support.
[info] int evaluate_evp_for_aes(int)(): This version of OpenSSL has a
known-good EVP counter-mode implementation. Using it.
[info] void tor_tls_init()(): OpenSSL LibreSSL 2.0 looks like version
0.9.8m or later; I will try SSL_OP to enable renegotiation
chutney authorities also include these extras:
[info] or_connection_t *connection_or_connect(const tor_addr_t *,
uint16_t, const char *, channel_tls_t *)(): Client asked me to connect to
myself. Refusing.
[info] void log_unsupported_ciphers(smartlist_t *)(): The unsupported
ciphers were: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-
RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-
RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-
RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:EDH-RSA-DES-
CBC3-SHA:AES128-SHA:CAMELLIA128-SHA:AES256-SHA:CAMELLIA256-SHA:DES-
CBC3-SHA:RC4-SHA
[info] TLS error while handshaking with "127.0.0.1": sslv3 alert illegal
parameter (in SSL routines:SSL3_READ_BYTES:SSLv3 read client certificate
A)
nickm:
There's some kind of server-side issue we'll need to solve, though.
Tor master with libressl 2.1.0 bootstraps fine under Chutney with me,
without the "TLS error while handshaking" warnings. Do I need to do
additional steps to see those?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13816>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list