#13415: tor fails LibreSSL compiliation and chutney basic
------------------------------+----------------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version: Tor: unspecified
Keywords: tor-router lorax | Actual Points:
Parent ID: | Points:
------------------------------+----------------------------------
I'm having trouble getting LibreSSL to work with tor git on OS X 10.9.
'''Configuring'''
Here are the issues I've found and fixed in the configure invocation:
* configure --with-openssl-dir= detects the wrong bin/openssl if
"$OPENSSL_DIR/bin/openssl" isn't in the path before all other openssl
executables.
* configure --enable-static-openssl requires
LDFLAGS="$OPENSSL_DIR/lib":$LDFLAGS to link properly, at least on OS X.
I'm pretty sure these issues will affect all (non-system/non-standard)
SSLs.
Can we make configuring with non-system SSLs easier by prepending
"$OPENSSL_DIR/bin" and "$OPENSSL_DIR/lib" to the PATH and LDFLAGS
respectively?
Happy to do the fix, but it may take me some time as I'm not familiar with
autoconf scripts.
'''Testing with Chutney'''
Once I get tor/LibreSSL to compile, the unit tests pass flawlessly.
But I see the following log entries in chutney clients, which I really
don't have any idea how to fix (I'm going to try boringssl next):
[notice] We weren't able to find support for all of the TLS ciphersuites
that we wanted to advertise. This won't hurt security, but it might make
your Tor (if run as a client) more easy for censors to block.
[notice] To correct this, use a version of OpenSSL built with none of its
ciphers disabled.
[info] TLS error while handshaking with "127.0.0.1": wrong cipher returned
(in SSL routines:SSL3_GET_SERVER_HELLO:SSLv3 read server hello B)
[info] int connection_tls_continue_handshake(or_connection_t *)(): tls
error [misc error]. breaking connection.
[info] void circuit_n_chan_done(channel_t *, int)(): Channel failed;
closing circ.
[info] void circuit_build_failed(origin_circuit_t *)(): Our circuit died
before the first hop with no connection
[info] void connection_ap_fail_onehop(const char *, cpath_build_state_t
*)(): Closing one-hop stream to '$<KEY>/127.0.0.1' because the OR conn
just failed.
[info] void connection_or_note_state_when_broken(or_connection_t *)():
Connection died in state 'handshaking (TLS) with SSL state SSLv3 read
server hello B in HANDSHAKE'
[info] void control_event_bootstrap_problem(const char *, int,
or_connection_t *)(): Problem bootstrapping. Stuck at 10%: Finishing
handshake with directory server. (DONE; DONE; count 8; recommendation
ignore)
[info] 8 connections have failed:
[info] 8 connections died in state handshaking (TLS) with SSL state SSLv3
read server hello B in HANDSHAKE
chutney routers are similar, with these extra lines on init:
[info] int crypto_global_init(int, const char *, const char *)(): NOT
using OpenSSL engine support.
[info] int evaluate_evp_for_aes(int)(): This version of OpenSSL has a
known-good EVP counter-mode implementation. Using it.
[info] void tor_tls_init()(): OpenSSL LibreSSL 2.0 looks like version
0.9.8m or later; I will try SSL_OP to enable renegotiation
chutney authorities also include these extras:
[info] or_connection_t *connection_or_connect(const tor_addr_t *,
uint16_t, const char *, channel_tls_t *)(): Client asked me to connect to
myself. Refusing.
[info] void log_unsupported_ciphers(smartlist_t *)(): The unsupported
ciphers were: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-
RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-
RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-
RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:EDH-RSA-DES-
CBC3-SHA:AES128-SHA:CAMELLIA128-SHA:AES256-SHA:CAMELLIA256-SHA:DES-
CBC3-SHA:RC4-SHA
[info] TLS error while handshaking with "127.0.0.1": sslv3 alert illegal
parameter (in SSL routines:SSL3_READ_BYTES:SSLv3 read client certificate
A)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13415>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online