No subject

Richard Johnson rdump at river.com
Sat Jan 30 23:07:59 UTC 2010


If you have Vidalia.app containing tor 0.2.1.22, and you've also
installed Apple's "Mac OS X Security Update 2010-001", you'll have
noticed that Apple made some errors in their TLS renegotiation.

Apple removed TLS renegotiation even for apps that both need TLS
renegotiation and do it safely.  Apple did this in spite of the upstream
OpenSSL project having fixed the renegotiation vulnerability more
sanely.  Apple is apparently using a partial back-port of the fix.

To work around Apple's TLS renegotiation back-port, it's easiest and
safest (in terms of side effects) to switch for now to using the real
OpenSSL in your existing Vidalia.app.  Here's how.


1) Make sure you have the latest versions of the real libevent and
openssl installed.  At present this gets you "OpenSSL 0.9.8l 5 Nov 2009"
(If you don't have MacPorts already, go here:
http://www.macports.org/install.php )

-------
sudo port install libevent openssl
-------

2) Get and verify the signatures on the tor source.
(If you haven't gotten the signers' keys directly from them, and there's
no-one you trust who has signed them yet, you can at least hit the tor
download site and see that the source archives back through the years
are signed by the same keys.  If you don't have wget and gpg, fix that
with 'sudo port install wget gnupg')

-------
cd ~/src/
wget "http://www.torproject.org/dist/tor-0.2.1.22.tar.gz.asc"
wget "http://www.torproject.org/dist/tor-0.2.1.22.tar.gz"
gpg tor-0.2.1.22.tar.gz.asc
-------

3) Extract and build tor.

-------
tar xzvf tor-0.2.1.22.tar.gz && cd tor-0.2.1.22/
env CPPFLAGS="-I/opt/local/include" LDFLAGS="-L/opt/local/lib" ./configure
make all
-------

4) Put your new tor executable into your existing Vidalia.app.

-------
cp -p ~/Applications/Vidalia.app/Contents/MacOS/tor
~/Applications/Vidalia.app/Contents/MacOS/tor.old
cp src/or/tor ~/Applications/Vidalia.app/Contents/MacOS/tor
-------

5) Run Vidalia.

-------
open ~/Applications/Vidalia.app
-------

You've just built and installed a tor executable that uses the real
OpenSSL, and is thus not afflicted with Apple's egregious kill of all
TLS renegotiation in the Mac OS X bundled OpenSSL.  You should now be
able to connect to other nodes when you launch tor.

Moving on, you'll be left with no tor side effects when you replace
Vidalia.app with a new version containing official fixes.  If you don't
keep macports around for other purposes, you can remove macports then.

Good luck!
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list