Tor fails to build connections after FreeBSD security update
Fabian Keil
freebsd-listen at fabiankeil.de
Sun Dec 6 15:03:08 UTC 2009
Roger Dingledine <arma at mit.edu> wrote:
> On Sat, Dec 05, 2009 at 07:36:13PM +0100, Hans Schnehl wrote:
> > On Sat, Dec 05, 2009 at 11:39:33AM -0500, Andrew Lewman wrote:
> > > Tor initiates a ssl renegotiate at the start of a circuit, the latest
> > > openssl breaks tor. The fixes for this are currently in -alpha only.
> > > The 0.2.1.21-dev in git also contains the fix. We're testing
> > > 0.2.2.6-alpha right now,
> > > https://blog.torproject.org/blog/tor-0226-alpha-released. Please try
> > > 0.2.2.6-alpha and let us know if it works.
> >
> > Tor version 0.2.2.6-alpha (git-1ee580407ccb9130) was where this
> > started. That's the current from the official download page now and
> > the one in the FreBSD ports.
> > Tried Tor version 0.2.2.6-alpha-dev (git-4afdb79051f7b1ca) from a
> > minute ago or so, fails with OpenSSL 0.9.8e, runs "sort of" with
> > 0.9.8.l but still gives the following:
>
> To make things more complex, while Tor 0.2.2.6-alpha has the workaround
> to handle the way that openssl 0.9.8l broke renegotiation, it looks
> like openssl 0.9.8m broke renegotiation in a new way. The upcoming
> 0.2.2.7-alpha (or current git head) aims to handle this new way.
>
> So I'm not sure what your openssl 0.9.8e actually is. But perhaps it's
> 0.9.8e with backports from 0.9.8m, in which case moving to Tor's git
> head might help.
FreeBSD's OpenSSL patch disables session renegotiation without
offering the option to enable it. Moving to Tor's git head doesn't
help and openssl-0.9.8l has to be installed from ports.
Quoting the advisory:
|V. Solution
|
|NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate
|SSL / TLS session parameters. As a result, connections in which the other
|party attempts to renegotiate session parameters will break. In practice,
|however, session renegotiation is a rarely-used feature, so disabling this
|functionality is unlikely to cause problems for most systems.
For some values of "most systems".
http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc
http://security.freebsd.org/patches/SA-09:15/ssl.patch
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20091206/21f222e5/attachment.pgp>
More information about the tor-relays
mailing list