Tor fails to build connections after FreeBSD security update

Hans Schnehl torvallenator at gmail.com
Sat Dec 5 14:54:19 UTC 2009


Hi,


Due to several security advisories ther have been a few patches advised to
be  applied on  FreeBSD systems.
These are
FreeBSD-SA-09:15.ssl ,
FreeBSD-SA-09:16.rtld, 
FreeBSD-SA-09:17.freebsd-update
FreeBSD-SA-09:15.ssl [REVISED]

FreeBSD-SA-09:15.ssl is to be found at
http://lists.freebsd.org/pipermail/freebsd-security-notifications/2009-December/000136.html
and notes:

[snip]]
NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate
SSL / TLS session parameters.  As a result, connections in which the other
party attempts to renegotiate session parameters will break.  In practice,
however, session renegotiation is a rarely-used feature, so disabling this
functionality is unlikely to cause problems for most systems.
[snip]

Well, so shall it be.
I rebuild world to 7.2-STABLE #0 r200100: Fri Dec  4 16:29, but  one may just
as well apply patches, see above.  
After that Tor, runnig perfectly before the update, fails to build connections. 
There are plenties of info level messages about failed TLS renegotiation, which
is just about what the above messages says (surprise!)

Tor is:
Tor version 0.2.2.6-alpha (git-1ee580407ccb9130), which is the default
tor-devel version available from the fbsd ports ,
the box is running 7.2-STABLE on i386.

Tor itself and libevent have been rebuild after the build.

The default Openssl version coming with the 7,2 basesystem is OpenSSL 0.9.8e,
now patched Tor fails to bootstrap ( messages like '...stuck at
85%').

I made Tor use the ports version, openssl-0.9.8l, and with that
Tor after all is able to build circuits, but only after a unusual
long time and complaining.
Tor though still fails to accept the StrictEntryNodes option, it can't connect to
the nodes listed under EntryNodes and therefore no circuits are build with
this option set.  (The nodes are up, but handled as being down)

THis happened on a box running Tor as a client. Don't really want that
to happen on a busy relay.

Anyone else seeing this? 
Solutions apart from using openssl-0.9.8l ?
What did I possibly miss ?

Regards
Hans



More information about the tor-relays mailing list