[tor-bugs] #7070 [Tor]: tor disables the SSLv3 for OpenSSL 1.0.0j
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Oct 10 03:35:03 UTC 2012
#7070: tor disables the SSLv3 for OpenSSL 1.0.0j
--------------------+-------------------------------------------------------
Reporter: kukabu | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Keywords: | Parent: #4822
Points: | Actualpoints:
--------------------+-------------------------------------------------------
Comment(by nickm):
Okay, this is a problem that we have with Fedora perpetually. Within each
Fedora release, they freeze the OpenSSL version number reported by
SSLeay() and by OPENSSL_VERSION_NUMBER, even when they upgrade to a newer
OpenSSL. So even though you have "1.0.0j" according to the human-readable
version string, it's calling itself an alpha or beta version of OpenSSL
1.0.0, and Tor can'd tell that it's really been upgraded.
I'm not sure what the right behavior is here, but I think our best bet
might be to just treat this as Fedora being Fedora, and accept that we
will sometimes mistake a Fedora openssl for an older one than it really
is. Other approaches -- like testing for the presence of the bug at
runtime, or trying to parse the human-readable version string -- seem like
they would be error-prone too, just in different ways.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7070#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list