TLS renegotiating error persists on FreeBSD 8.0 updated.
Roger Dingledine
arma at mit.edu
Fri Jan 8 20:52:55 UTC 2010
On Fri, Jan 08, 2010 at 09:41:56PM +0100, Sebastian Hahn wrote:
> On Jan 8, 2010, at 6:45 PM, Luis Maceira wrote:
> > The well-known TLS renegotiating error which the tor-0.2.1.21
> > version was supposed to address persists on FreeBSD-8.0 updated as
> > of today.The unstable version (0.2.2.6) same thing the error
> > persists (On Linux and using tor-0.2.2.6 the error does not exist -I
> > had this error only on Debian Testing and OpenSuSE)-.
> > So,it seems to be a FreeBSD issue,more specifically after a recent
> > FreeBSD update(when I no more could use tor).
>
> Right. Unfortunately, it seems that FreeBSD patched openssl in such a
> way that it is entirely impossible for any application to enable
> renegotiation. See http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc
> for details. This means that Tor will remain completely unusable on
> FreeBSD with those patches built in until they either change the
> patch, or Tor updates it protocol. I believe that Tor will update
> eventually, but this might take a substantial amount of time.
Yep. See also
http://archives.seul.org/tor/relays/Dec-2009/msg00016.html
I don't want to cripple Tor's handshake on the relay side, since that
would prevent people in censoring countries from doing the version of
the TLS handshake that blends in better.
Eventually we're going to do a smoother version of the handshake
that doesn't require TLS renegotiation -- basically we'll do it by
reimplementing what we need from the TLS protocol inside Tor at the cell
level. But that could be half a year from now at least, and it's going
to be a mess to get right.
In the meantime, I guess we're at a standoff.
"What the fuck, freebsd? Why did you break a system library?"
--Roger
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list