[tor-relays] Recommended reject lines for relays affected by Heartbleed

Tobias Markus tobias at miglix.eu
Thu Apr 17 23:40:17 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

(again a Disclaimer: I am not a Tor dev/guru and might be talking
bullsh*t.)

Tor circuits (a "way" through the Tor network) and thus nodes are
entirely chosen by clients based on the consensus given by dirauths
(see my earlier post). The ExcludeNodes statement you use basically
instructs the Tor *client* part not to use the specified nodes in
their circuits.

If you run a relay, you don't have to undertake any action because of
Heartbleed except rotating your keys (deleting all keys in
DataDir/keys), updating OpenSSL and restarting Tor. (Moritz Bartl sent
an E-Mail to tor-relays explaining all this in great detail on
4/8/2014: "Relays vulnerable to OpenSSL bug: Please upgrade")

tl;dr: ExcludeNodes does not work and is not needed for relay operators.

On 04/18/2014 12:56 AM, tor at t-3.net wrote:
> Perl script attached which I made to take this !reject formatted
> list of bleeding tor nodes and reformat it into a mega-long
> ExcludeNodes line and put it at the end of my exit node's torrc. My
> tor daemon did not bomb or complain upon seeing the line.
> 
> Hopefully that is the right way to use that !rejects list for
> relay operators who want to do the best thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlNQZmAACgkQAO6N0EYmC9bzfgCgiHaLQJ0w9cUgymw/4HbOp3Tn
Hx8Anj1huC+X0n8+Y/pAGfKSP9id6b4H
=K7f0
-----END PGP SIGNATURE-----


More information about the tor-relays mailing list