Tor fails to build connections after FreeBSD security update
Mike L
jackoroses at gmail.com
Sat Dec 5 16:01:14 UTC 2009
Yes I am seeing this as well.
I recently did the same thing on my home relay with the same end results as
you.
I did not attempt to install ssl port though and am still trying to make it
use the base ssl.
I de-installed the port and re-installed but saw the same errors you see
still.
running FreeBSD 7.2-RELEASE-p5 #0: Thu Dec 3 22:36:36 EST 2009 (amd64)
OpenSSL 0.9.8e 23 Feb 2007 with libevent 1.4.12 (if the version is relevant
or not..)
Sounds like you are about two steps ahead of me though in tracking down the
issue.
Likewise I'm glad I ran it here before I did it on the exit node..
On Sat, Dec 5, 2009 at 9:54 AM, Hans Schnehl <torvallenator at gmail.com>wrote:
> Hi,
>
>
> Due to several security advisories ther have been a few patches advised to
> be applied on FreeBSD systems.
> These are
> FreeBSD-SA-09:15.ssl ,
> FreeBSD-SA-09:16.rtld,
> FreeBSD-SA-09:17.freebsd-update
> FreeBSD-SA-09:15.ssl [REVISED]
>
> FreeBSD-SA-09:15.ssl is to be found at
>
> http://lists.freebsd.org/pipermail/freebsd-security-notifications/2009-December/000136.html
> and notes:
>
> [snip]]
> NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate
> SSL / TLS session parameters. As a result, connections in which the other
> party attempts to renegotiate session parameters will break. In practice,
> however, session renegotiation is a rarely-used feature, so disabling this
> functionality is unlikely to cause problems for most systems.
> [snip]
>
> Well, so shall it be.
> I rebuild world to 7.2-STABLE #0 r200100: Fri Dec 4 16:29, but one may
> just
> as well apply patches, see above.
> After that Tor, runnig perfectly before the update, fails to build
> connections.
> There are plenties of info level messages about failed TLS renegotiation,
> which
> is just about what the above messages says (surprise!)
>
> Tor is:
> Tor version 0.2.2.6-alpha (git-1ee580407ccb9130), which is the default
> tor-devel version available from the fbsd ports ,
> the box is running 7.2-STABLE on i386.
>
> Tor itself and libevent have been rebuild after the build.
>
> The default Openssl version coming with the 7,2 basesystem is OpenSSL
> 0.9.8e,
> now patched Tor fails to bootstrap ( messages like '...stuck at
> 85%').
>
> I made Tor use the ports version, openssl-0.9.8l, and with that
> Tor after all is able to build circuits, but only after a unusual
> long time and complaining.
> Tor though still fails to accept the StrictEntryNodes option, it can't
> connect to
> the nodes listed under EntryNodes and therefore no circuits are build with
> this option set. (The nodes are up, but handled as being down)
>
> THis happened on a box running Tor as a client. Don't really want that
> to happen on a busy relay.
>
> Anyone else seeing this?
> Solutions apart from using openssl-0.9.8l ?
> What did I possibly miss ?
>
> Regards
> Hans
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20091205/c0734fdb/attachment.htm>
More information about the tor-relays
mailing list