[tor-talk] Help testing patch on SandyBridge/IvyBridge? Force disable use of RDRAND in OpenSSL when HardwareAccel is enabled
coderman
coderman at gmail.com
Sat Dec 14 14:14:27 UTC 2013
this is logged as trac ticket:
https://trac.torproject.org/projects/tor/ticket/10402
FreeBSD project announced RDRAND not to be used directly, with OpenSSL
following guidance.[0][1][2]
IF?
you are using a Tor built against openssl-1.0.1-beta1 through openssl-1.0.1e
AND+
you have set HardwareAccel 1
THEN:
you should implement one of the remedies below!
help coderman test mitigation patch:
https://peertech.org/dist/tor-0.2.4.19-rdrand-disable.patch
https://peertech.org/dist/tor-0.2.5.1-rdrand-disable.patch
https://peertech.org/dist/tor-latest-rdrand-disable.patch
if on Sandy Bridge, Ivy Bridge, other Intel CPU with RDRAND.
OTHER mitigation:
- re-build your OpenSSL with OPENSSL_NO_RDRAND defined
- re-build your Tor with DISABLE_ENGINES defined
- update to latest git openssl or cherry pick commit: "Don't use
rdrand engine as default unless explicitly requested." - Dr. Stephen
Henson
best regards,
0. "FreeBSD Developer Summit: Security Working Group, /dev/random"
https://wiki.freebsd.org/201309DevSummit/Security
1. "Surreptitiously Tampering with Computer Chips"
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html
2. "How does the NSA break SSL? ... Weak random number generators"
http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html
More information about the tor-talk
mailing list