Tor fails to build connections after FreeBSD security update

Scott Bennett bennett at cs.niu.edu
Sun Dec 6 08:25:26 UTC 2009 

     On Sun, 6 Dec 2009 09:12:19 +0100 Hans Schnehl <torvallenator at gmail.com>
wrote:
>> To make things more complex, while Tor 0.2.2.6-alpha has the workaround
>> to handle the way that openssl 0.9.8l broke renegotiation, it looks
>> like openssl 0.9.8m broke renegotiation in a new way. The upcoming
>> 0.2.2.7-alpha (or current git head) aims to handle this new way.
>
>Looks like different versions of OpenSSL shipping with the different
>branches of FreeBSD will add even more variations of the issue.
>               
>> 
>> So I'm not sure what your openssl 0.9.8e actually is. But perhaps it's
>> 0.9.8e with backports from 0.9.8m, in which case moving to Tor's git
>> head might help.
>
>Here we go:
>Don't know about Mike's, but the box failing here is:
>ato# uname -a
>FreeBSD ato 7.2-STABLE FreeBSD 7.2-STABLE #0 r200100: Fri Dec  4 16:29:00
>16:29:00 
>
>This ships with openssl-0.9.8e as part of the base.
>Due to security advisories (see first post above) openssl has been
>patched. I did not apply the patches, but rebuilt world using sources
>from svn. This included the patches against openssl. Before this, Tor was
>running flawlessly, no probs whatsoever whichever version, no probs with
>StrictEntryNodes. 
>
>You may see the sec.adv. at:
>                          
>http://lists.freebsd.org/pipermail/freebsd-security-notifications/2009-December/000136.html 
>http://lists.freebsd.org/pipermail/freebsd-security-notifications/2009-December/000139.html
>
>After the update:
>OpenSSL> version
>OpenSSL 0.9.8e 23 Feb 2007
> 
> Tor fails to run on this combination.
>
>
>There is openssl 0.9.8l in the ports, throwing in the pkg, setting
>LD_LIBRARY_PATH to /usr/local/lib in the environment, linking the binary
>from /usr/local/bin/openssl to /usr/bin/openssl ( and hiding the old )
>shows on the same system:
>
>ato# openssl
>OpenSSL> version
>OpenSSL 0.9.8l 5 Nov 2009
>
> Tor also fails to run here.
>
>
>The To binary is :
>ato# tor --version
>Dec 06 07:11:16.923 [notice] Tor v0.2.2.6-alpha-dev (git-4afdb79051f7b1ca)
>
> versions previous to that failed as well.
>
>----
>Just to add a little more confusion ;) ... 
>A FreeBSD 8.0-RC2 box on amd64 ships with  a more recent vesion of openssl 
>in the base.
>ico# openssl 
>OpenSSL> version
>OpenSSL 0.9.8k 25 Mar 2009
> I dare not to upgrade this box for obvious reasons.  

     If you have 8.0-RC2 currently installed on it, then why *not* upgrade to
8.0-STABLE or at least to 8.0-RELEASE-p{whatever} if 8.0-RC2 is failing anyway?
Which version of OpenSSL is in the base for 8.0-RELEASE?  Has it already been
changed in 8.0-STABLE?
>> 
>> > Was there a general change in handling StrictEntryNodes, as this does not
>> > work in either combination ?
>> 
>> Nope. I have a branch that will clean up the entrynodes / exitnodes
>> behavior, but I haven't found time lately to merge it.
>
>It's only the StrictEntryNodes Option I was referring to, but if Tor's
>renegotiation fails, the nodes listed under EntryNodes will simply not be
>connected to.
>
     Curiouser and curiouser... 8-{


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the tor-relays mailing list