Tor fails to build connections after FreeBSD security update
Roger Dingledine
arma at mit.edu
Sun Dec 6 18:30:06 UTC 2009
On Sun, Dec 06, 2009 at 04:03:08PM +0100, Fabian Keil wrote:
> > To make things more complex, while Tor 0.2.2.6-alpha has the workaround
> > to handle the way that openssl 0.9.8l broke renegotiation, it looks
> > like openssl 0.9.8m broke renegotiation in a new way. The upcoming
> > 0.2.2.7-alpha (or current git head) aims to handle this new way.
> >
> FreeBSD's OpenSSL patch disables session renegotiation without
> offering the option to enable it. Moving to Tor's git head doesn't
> help and openssl-0.9.8l has to be installed from ports.
>
> Quoting the advisory:
>
> |V. Solution
> |
> |NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate
> |SSL / TLS session parameters. As a result, connections in which the other
> |party attempts to renegotiate session parameters will break. In practice,
> |however, session renegotiation is a rarely-used feature, so disabling this
> |functionality is unlikely to cause problems for most systems.
>
> For some values of "most systems".
Ha. That would do it. Thanks.
One extreme workaround would be to find
#define V2_HANDSHAKE_SERVER
#define V2_HANDSHAKE_CLIENT
in the top of src/common/tortls.c and comment those two lines out.
Then your Tor will revert back to the old (Tor 0.1.2.x) SSL handshake --
the one that is easy to identify as a Tor handshake, and so not suitable
for use in censoring countries or the growing set of similar environments.
Using a non-broken openssl is a better workaround.
(To be fair, I'll grant that there's a lot of competition in the arena of
"ways that OS packagers can screw up their custom openssl patches". It's
great to see that FreeBSD is working hard to catch up.)
--Roger
More information about the tor-relays
mailing list