[tor-bugs] #28245 [Core Tor/Tor]: Tor nodes with OpenSSL 1.1.1 can't communicate with each other

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Nov 9 15:00:06 UTC 2018 

#28245: Tor nodes with OpenSSL 1.1.1 can't communicate with each other
-------------------------------------------------+-------------------------
 Reporter:  asn                                  |          Owner:  nickm
     Type:  defect                               |         Status:
                                                 |  accepted
 Priority:  Very High                            |      Milestone:  Tor:
                                                 |  0.3.5.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  openssl tor-tls tls-1.3 035-must     |  Actual Points:
  029-backport 033-backport 034-backport         |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by nickm):

 So here's the process I used to try to track this down.

 I started by adding logs all over to look at SSL_read() and SSL_write()
 per above.  I noticed that not only were the clients getting the IO
 errors, but that relays were successfully using SSL_read() and
 SSL_write().  This made me think that there was something bogus on client
 connections.

 I confirmed that something was going wrong in the handshake stage: I added
 a bogus version to the client service cell, and made the relays log when
 they saw it. They weren't getting the version at all, even though the
 client thinks that it was sending it.  This helped me localize the problem
 to the handshake.h.

 At this point, I edited the router_initialize_tls_context() function so
 that clients would create TLS contexts as if they were servers.  This made
 chutney pass again!  So I guessed that there was something in
 `tor_tls_context_init_one()` function, probably depending on the is_client
 flag, that was making clients not work.

 I tried forcing the various `if (! is_client)` checks to `if (1)`, and
 found that the one that was setting up EC curves was the problem.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28245#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list