[tor-relays] possible interference between sbws and a libressl relay

Mon Sep 23 23:28:29 UTC 2019

> On 24 Sep 2019, at 03:27, Felix <zwiebel at quantentunnel.de> wrote:
> 
>> Am 2019-09-23 um 1:59 AM schrieb teor:
>> 
>> We need some more information to diagnose the issue, and answer these
>> questions:
>> 
>> * Is this issue reproducible?
> 
> In my Freebsd monoculture, yes. 20 guard relays shared the same history:
> 
> Tor versions Tor 0.4.0.5, 0.4.1.2-alpha, 0.4.1.3-alpha, all on LibreSSL
> 2.9.2. Running guard since >1 month before they all lost guard flags
> between 2019-08-15 10pm and 2019-08-16 1am.

How do you know it's LibreSSL, and not simply restarting the relays?

>> * Are all tor clients affected?
> 
> They became middle relays so I expect no client will connect (besides
> onion services?). But they were pushing a lot of data as middles.

Here's what I meant:

Are all Tor instances having trouble connecting to your relays, or just
some of them?

You've answered the question below.

>> * If only some tor clients are affected, why are they affected?
> 
> No idea, sorry.
> 
>> * Are all bandwidth authorities affected, or just the ones running sbws?
> 
> Short: Torflow is ok, sbws not

That's not quite accurate.

> Consensus for a relay with Libressl 292
>  maatu. (!running, fast, !guard, bw ok)

The authority on maatuska appears to be affected.

>  moria1 (running,  fast,  guard, bw ok)
>  farav. (running,  fast,  guard, bw ok)
>  longc. (running, !fast, !guard, no bw)
>  bastet (running, !fast, !guard, no bw)

The bandwidth authority clients on longclaw and bastet are affected.

> All relays w/o 292 received quickly running and fast from all bw auths,
> later guard.

Ok, so it does have something to do with LibreSSL. But we don't know
why some other Tor instances are having trouble connecting: because
it's not only sbws clients which are failing, it's authorities as well.

>> * Are these issues actually instances of know sbws bugs?
> 
> I don't think so.

It doesn't seem so either. This seems like a LibreSSL / Tor bug, not an
sbws bug.

> For further testing I keep the relays like this:
> 
> All the relays are on the same dedicated server
> 
> now working ok:
> 79D9E66BB2FDBF25E846B635D8248FE1194CFD26 Tor 0.4.1.6, OpenSSL 1.1.1d
> ACBBB426CE1D0641A590BF1FC1CF05416FC0FF6F Tor 0.4.1.5, OpenSSL 1.0.2s
> 9F5068310818ED7C70B0BC4087AB55CB12CB4377 Tor 0.4.1.6, LibreSSL 3.0.0
> 8FA37B93397015B2BC5A525C908485260BE9F422 Tor 0.4.1.5, OpenSSL 1.0.2t
> 
> suffering:
> ED7F2BE5D2AC7FCF821A909E2486FFFB95D65272 Tor 0.4.1.3-alpha, LibreSSL 2.9.2
> 
> 
> 
> I hope that helps. Please tell me how I can support.

Maybe there is a bug in LibreSSL 2.9.2 ?
Or a bug between that version and other SSL libraries?

Can you reproduce this issue using Tor Browser connecting to your
relays? If so, what do you see in your Tor logs?

T