[tor-dev] Tor not affected by recent openssl security advisories

Yawning Angel yawning at schwanenlied.me
Thu Jan 28 17:00:22 UTC 2016


On Thu, 28 Jan 2016 10:35:21 -0500
Nick Mathewson <nickm at torproject.org> wrote:
> Somebody always asks whether Tor is affected by each OpenSSL advisory,
> so I'm sending this mail in order to get a URL to send people to.  :)
> 
> Here are today's advisories:
>    https://mta.openssl.org/pipermail/openssl-announce/2016-January/000061.html
> 
> With respect to the first ( "DH small subgroups (CVE-2016-0701)" ),
> Tor is not affected because we set the SSL_OP_SINGLE_DH_USE() option.
> We started setting this option back in Tor 0.1.1.9-alpha, back in
> 2005.

It's also worth noting that newer (0.2.7.x) versions of Tor should not
be doing DHE except when talking to old versions of Tor, linked
against old versions of OpenSSL as ECDH is both mandatory and preferred
in the current stable series.

All versions of OpenSSL that predate support for ECC have been EOLed and
no longer receive security fixes, so if your system is using
OpenSSL 0.9.8 (or 1.0.0 for that matter though it has ECC), you are
strongly encouraged to upgrade to something that is being maintained.

Regards,

-- 
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160128/3503da92/attachment.sig>


More information about the tor-dev mailing list