Tor fails to build connections after FreeBSD security update

Hans Schnehl torvallenator at gmail.com
Sun Dec 6 08:12:19 UTC 2009


> 
> To make things more complex, while Tor 0.2.2.6-alpha has the workaround
> to handle the way that openssl 0.9.8l broke renegotiation, it looks
> like openssl 0.9.8m broke renegotiation in a new way. The upcoming
> 0.2.2.7-alpha (or current git head) aims to handle this new way.

Looks like different versions of OpenSSL shipping with the different
branches of FreeBSD will add even more variations of the issue.
               
> 
> So I'm not sure what your openssl 0.9.8e actually is. But perhaps it's
> 0.9.8e with backports from 0.9.8m, in which case moving to Tor's git
> head might help.

Here we go:
Don't know about Mike's, but the box failing here is:
ato# uname -a
FreeBSD ato 7.2-STABLE FreeBSD 7.2-STABLE #0 r200100: Fri Dec  4 16:29:00
16:29:00 

This ships with openssl-0.9.8e as part of the base.
Due to security advisories (see first post above) openssl has been
patched. I did not apply the patches, but rebuilt world using sources
from svn. This included the patches against openssl. Before this, Tor was
running flawlessly, no probs whatsoever whichever version, no probs with
StrictEntryNodes. 

You may see the sec.adv. at:
                          
http://lists.freebsd.org/pipermail/freebsd-security-notifications/2009-December/000136.html 
http://lists.freebsd.org/pipermail/freebsd-security-notifications/2009-December/000139.html

After the update:
OpenSSL> version
OpenSSL 0.9.8e 23 Feb 2007
 
 Tor fails to run on this combination.


There is openssl 0.9.8l in the ports, throwing in the pkg, setting
LD_LIBRARY_PATH to /usr/local/lib in the environment, linking the binary
from /usr/local/bin/openssl to /usr/bin/openssl ( and hiding the old )
shows on the same system:

ato# openssl
OpenSSL> version
OpenSSL 0.9.8l 5 Nov 2009

 Tor also fails to run here.


The To binary is :
ato# tor --version
Dec 06 07:11:16.923 [notice] Tor v0.2.2.6-alpha-dev (git-4afdb79051f7b1ca)

 versions previous to that failed as well.

----
Just to add a little more confusion ;) ... 
A FreeBSD 8.0-RC2 box on amd64 ships with  a more recent vesion of openssl 
in the base.
ico# openssl 
OpenSSL> version
OpenSSL 0.9.8k 25 Mar 2009
 I dare not to upgrade this box for obvious reasons.  
> 
> > Was there a general change in handling StrictEntryNodes, as this does not
> > work in either combination ?
> 
> Nope. I have a branch that will clean up the entrynodes / exitnodes
> behavior, but I haven't found time lately to merge it.

It's only the StrictEntryNodes Option I was referring to, but if Tor's
renegotiation fails, the nodes listed under EntryNodes will simply not be
connected to.

HTH

Hans



More information about the tor-relays mailing list