[tor-bugs] #21152 [Core Tor/Tor]: "connections died in state handshaking (TLS) with SSL state SSLv3" sure makes it look like we're using SSLv3

[Tor Bug Tracker & Wiki]

#21152: "connections died in state handshaking (TLS) with SSL state SSLv3" sure
makes it look like we're using SSLv3
--------------------------+---------------------------
 Reporter:  arma          |          Owner:
     Type:  defect        |         Status:  closed
 Priority:  Medium        |      Milestone:
Component:  Core Tor/Tor  |        Version:
 Severity:  Normal        |     Resolution:  not a bug
 Keywords:                |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+---------------------------
Changes (by yawning):

 * status:  new => closed
 * resolution:   => not a bug


Comment:

 > So, are the handshakes using SSLv3, or are they not? :)

 OpenSSL prior to 1.1.0 uses `ssl3_connect()` to do the actual connection
 work, even if you are using TLS (See: `ssl/t1_clnt.c`).  OpenSSL 1.1.0 and
 later renames and refactors everything, and will display `SSLv3/TLS read
 server certificate` here instead.

 > I assume this is just a cosmetic issue where SSL_state_string_long()
 lies to us.

 Indeed.  And there's nothing we can do about it.

 > But who knows, maybe there is something deeper going on?

 {{{
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
 }}}

 If people are really worried, they can gather a pcap containing the
 ClientHello and look at the version while keeping in mind Appendix E of
 the RFC.

 Since this is cosmetic, OpenSSL's fault, and fixed in newer OpenSSL, I'm
 going to close this.  Reopen it once someone produces a pcap displaying
 horrifyingly wrong behavior.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21152#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online