Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 292661 - net-misc/tor-0.2.1.19-r1 TLS error while renegotiating with openssl-0.9.8l
Summary: net-misc/tor-0.2.1.19-r1 TLS error while renegotiating with openssl-0.9.8l
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Unspecified (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gustavo Felisberto (RETIRED)
URL:
Whiteboard:
Keywords:
: 295280 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-11-10 11:02 UTC by Sascha Wuestemann
Modified: 2015-10-18 06:12 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
fix openssl issue (tor-0.2.1.19-openssl.patch,3.49 KB, patch)
2009-11-10 18:32 UTC, Aidan Marks
Details | Diff
new ebuild adding openssl patch (tor-0.2.1.19-r2.ebuild,2.38 KB, text/plain)
2009-11-10 18:33 UTC, Aidan Marks
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Wuestemann 2009-11-10 11:02:19 UTC
tor-0.2.1.19-r1 does not work anymore when openssl-0.9.8l is installed, prior version of openssl worked. The current version of openssl fixes a security flaw and tor needs to be updated.
The current stable version of tor is 0.2.1.20 but the changelog says "the Changes in  0.2.1.21 - 20??-??-??
Work around a security feature in OpenSSL 0.9.8l that prevents our handshake from working unless we explicitly tell OpenSSL that we are using SSL renegotiation safely.  We are, of course, but OpenSSL 0.9.8l won't work unless we say we are."
Thus currently only unstable tor versions would work safely, alternatively you can go back to openssl-0.9.8k which is unsafe because you loose the security fix for openssl, but tor can run.


Reproducible: Always

Steps to Reproduce:
Searched the web to proove the situation.
Have two systems involved.
One is using openssl-0.9.8k-r1 and tor-0.2.1.19-r1 happily, tor works.
The other is using openssl-0.9.8l and tor-0.2.1.19-r1 and tor barks about TLS error while renegotiating and does not work
Actual Results:  
Tor currently is unusable

Expected Results:  
Please ell me how to get tor running securely in this situation.
Comment 1 Aidan Marks 2009-11-10 18:13:24 UTC
the tor bug:

http://bugs.noreply.org/flyspray/index.php?do=details&id=1144
Comment 2 Aidan Marks 2009-11-10 18:32:33 UTC
Created attachment 209850 [details, diff]
fix openssl issue

this patch from http://archives.seul.org/or/cvs/Nov-2009/msg00029.html fixes the openssl compatibility issue for me.
Comment 3 Aidan Marks 2009-11-10 18:33:27 UTC
Created attachment 209851 [details]
new ebuild adding openssl patch
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-12 14:34:03 UTC
Thank you both for researching.  This should be fixed.  When attaching fixed ebuilds, please provide an unified diff next time.  That makes reviewing easier.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-01 12:03:17 UTC
*** Bug 295280 has been marked as a duplicate of this bug. ***
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-01 12:04:08 UTC
Richard, which Tor revision are you using?
Comment 7 Richard Li 2009-12-01 12:45:07 UTC
(In reply to comment #6)
> Richard, which Tor revision are you using?
> 

=net-misc/tor-0.2.1.19-r2

Actually I noticed this bug before reporting about Tor. Tor doesn't work for me even after I upgrade openssl to 0.9.8l-r2
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-01 12:47:08 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > Richard, which Tor revision are you using?
> > 
> 
> =net-misc/tor-0.2.1.19-r2
> 
> Actually I noticed this bug before reporting about Tor. Tor doesn't work for me
> even after I upgrade openssl to 0.9.8l-r2

 Ok, Aidan and Sascha, do you still see this behaviour?

Comment 9 Aidan Marks 2009-12-01 18:09:04 UTC
> 
>  Ok, Aidan and Sascha, do you still see this behaviour?
> 

No, the -r2 ebuild/patch fixed the issue. tor-0.2.1.19-r2 with openssl-0.9.8l-r2 is working right now for me.
Comment 10 Richard Li 2009-12-02 04:06:02 UTC
(In reply to comment #9)
> 
> No, the -r2 ebuild/patch fixed the issue. tor-0.2.1.19-r2 with
> openssl-0.9.8l-r2 is working right now for me.
> 

It seems to me that tor doesn't work only if I enable bridges. Can you append the following four lines to /etc/tor/torrc and try it again?

UseBridges 1
bridge 79.176.43.54:8080
bridge 114.221.37.178:443
bridge 87.118.105.203:443
Comment 11 Sascha Wuestemann 2009-12-02 12:49:23 UTC
(In reply to comment #8)
> (In reply to comment #7)
> > (In reply to comment #6)
> > > Richard, which Tor revision are you using?
> > > 
> > 
> > =net-misc/tor-0.2.1.19-r2
> > 
> > Actually I noticed this bug before reporting about Tor. Tor doesn't work for me
> > even after I upgrade openssl to 0.9.8l-r2
> 
>  Ok, Aidan and Sascha, do you still see this behaviour?
> 

net-misc/tor-0.2.1.19-r2 works together with openssl-0.9.8l-r2 again. 
Behaves as before for me so far. I have almost defaults, especialy no bridges configured to tor.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-02 14:26:37 UTC
Richard, if noone can reproduce, fixing gets really hard.  Do you use any custom config settings?  Move the torrc to a safe location and remerge the package for default config.
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-02 14:41:58 UTC
I just bumped to 0.2.1.20, maybe you can try that.
Comment 14 Richard Li 2009-12-02 17:17:39 UTC
(In reply to comment #13)
> I just bumped to 0.2.1.20, maybe you can try that.
> 

Tried that, still get this error.. Downgrade to 0.9.8k and it's gone. I believe I didn't modify torrc except enabling bridges.


Dec 03 01:05:25.734 [notice] Tor 0.2.1.20 opening log file.
Dec 03 01:05:25.735 [notice] Parsing GEOIP file.
Dec 03 01:05:26.821 [notice] new bridge descriptor 'mymemorizer' (cached)
Dec 03 01:05:26.822 [notice] No current certificate known for authority urras; launching request.
Dec 03 01:05:26.822 [notice] Bootstrapped 5%: Connecting to directory server.
Dec 03 01:05:26.824 [notice] new bridge descriptor 'dante' (cached)
Dec 03 01:05:26.826 [notice] new bridge descriptor 'gpfTOR4b' (cached)
Dec 03 01:05:26.829 [notice] We now have enough directory information to build circuits.
Dec 03 01:05:26.829 [notice] Bootstrapped 80%: Connecting to the Tor network.
Dec 03 01:05:27.685 [notice] Bootstrapped 85%: Finishing handshake with first hop.
Dec 03 01:05:30.397 [warn] TLS error: unexpected close while renegotiating
Dec 03 01:05:30.438 [warn] TLS error: unexpected close while renegotiating
Dec 03 01:05:30.477 [warn] TLS error: unexpected close while renegotiating
Dec 03 01:05:32.128 [warn] TLS error: unexpected close while renegotiating
Dec 03 01:05:33.517 [warn] TLS error: unexpected close while renegotiating
Dec 03 01:05:33.887 [notice] no known bridge descriptors running yet; stalling
Dec 03 01:05:33.887 [notice] Our directory information is no longer up-to-date enough to build circuits: No live bridge descriptors.
Dec 03 01:08:35.831 [warn] Problem bootstrapping. Stuck at 85%: Finishing handshake with first hop. (Connection timed out; TIMEOUT; count 6; recommendation warn)



OK, if still only I have this problem, I will trace into the codes to see what exactly is happening when I have time.
Comment 15 dacook 2009-12-05 00:24:12 UTC
Seeing this issue on net-misc/tor-0.2.1.20 on x86/hardened; it does not happen with 0.2.1.19-r2.  Checked the 0.2.1.20 source, and I don't see similar code, so the patch seems to still be necessary.
Comment 16 Tony Vroon (RETIRED) gentoo-dev 2009-12-05 14:15:54 UTC
Please fix net-misc/tor-0.2.1.20 which has freshly reintroduced this bug, commit as -r1 and delete the faulty version.
Comment 17 Aidan Marks 2009-12-05 21:27:53 UTC
(In reply to comment #16)
> Please fix net-misc/tor-0.2.1.20 which has freshly reintroduced this bug,
> commit as -r1 and delete the faulty version.
> 

tor-0.2.1.20 with openssl-0.9.8l-r2 is working fine for me.  I have a very basic torrc config:

User tor
Group tor
PIDFile /var/run/tor/tor.pid
SocksPort 9050 # what port to open for local application connections
SocksListenAddress 127.0.0.1 # accept connections only from localhost
Log notice file /var/log/tor/tor.log
DataDirectory   /var/lib/tor/data
Comment 18 Christian Apeltauer 2009-12-05 22:12:32 UTC
(In reply to comment #17)
> (In reply to comment #16)
> > Please fix net-misc/tor-0.2.1.20 which has freshly reintroduced this bug,
> > commit as -r1 and delete the faulty version.
> > 
> 
> tor-0.2.1.20 with openssl-0.9.8l-r2 is working fine for me.  I have a very
> basic torrc config:
> 
> User tor
> Group tor
> PIDFile /var/run/tor/tor.pid
> SocksPort 9050 # what port to open for local application connections
> SocksListenAddress 127.0.0.1 # accept connections only from localhost
> Log notice file /var/log/tor/tor.log
> DataDirectory   /var/lib/tor/data
> 
I have the same configuration file as above, but tor does not work for me (amd64 hardened).
Comment 19 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-06 14:37:50 UTC
Fixed, hopefully.