tor-0.2.1.19-r1 does not work anymore when openssl-0.9.8l is installed, prior version of openssl worked. The current version of openssl fixes a security flaw and tor needs to be updated. The current stable version of tor is 0.2.1.20 but the changelog says "the Changes in 0.2.1.21 - 20??-??-?? Work around a security feature in OpenSSL 0.9.8l that prevents our handshake from working unless we explicitly tell OpenSSL that we are using SSL renegotiation safely. We are, of course, but OpenSSL 0.9.8l won't work unless we say we are." Thus currently only unstable tor versions would work safely, alternatively you can go back to openssl-0.9.8k which is unsafe because you loose the security fix for openssl, but tor can run. Reproducible: Always Steps to Reproduce: Searched the web to proove the situation. Have two systems involved. One is using openssl-0.9.8k-r1 and tor-0.2.1.19-r1 happily, tor works. The other is using openssl-0.9.8l and tor-0.2.1.19-r1 and tor barks about TLS error while renegotiating and does not work Actual Results: Tor currently is unusable Expected Results: Please ell me how to get tor running securely in this situation.
the tor bug: http://bugs.noreply.org/flyspray/index.php?do=details&id=1144
Created attachment 209850 [details, diff] fix openssl issue this patch from http://archives.seul.org/or/cvs/Nov-2009/msg00029.html fixes the openssl compatibility issue for me.
Created attachment 209851 [details] new ebuild adding openssl patch
Thank you both for researching. This should be fixed. When attaching fixed ebuilds, please provide an unified diff next time. That makes reviewing easier.
*** Bug 295280 has been marked as a duplicate of this bug. ***
Richard, which Tor revision are you using?
(In reply to comment #6) > Richard, which Tor revision are you using? > =net-misc/tor-0.2.1.19-r2 Actually I noticed this bug before reporting about Tor. Tor doesn't work for me even after I upgrade openssl to 0.9.8l-r2
(In reply to comment #7) > (In reply to comment #6) > > Richard, which Tor revision are you using? > > > > =net-misc/tor-0.2.1.19-r2 > > Actually I noticed this bug before reporting about Tor. Tor doesn't work for me > even after I upgrade openssl to 0.9.8l-r2 Ok, Aidan and Sascha, do you still see this behaviour?
> > Ok, Aidan and Sascha, do you still see this behaviour? > No, the -r2 ebuild/patch fixed the issue. tor-0.2.1.19-r2 with openssl-0.9.8l-r2 is working right now for me.
(In reply to comment #9) > > No, the -r2 ebuild/patch fixed the issue. tor-0.2.1.19-r2 with > openssl-0.9.8l-r2 is working right now for me. > It seems to me that tor doesn't work only if I enable bridges. Can you append the following four lines to /etc/tor/torrc and try it again? UseBridges 1 bridge 79.176.43.54:8080 bridge 114.221.37.178:443 bridge 87.118.105.203:443
(In reply to comment #8) > (In reply to comment #7) > > (In reply to comment #6) > > > Richard, which Tor revision are you using? > > > > > > > =net-misc/tor-0.2.1.19-r2 > > > > Actually I noticed this bug before reporting about Tor. Tor doesn't work for me > > even after I upgrade openssl to 0.9.8l-r2 > > Ok, Aidan and Sascha, do you still see this behaviour? > net-misc/tor-0.2.1.19-r2 works together with openssl-0.9.8l-r2 again. Behaves as before for me so far. I have almost defaults, especialy no bridges configured to tor.
Richard, if noone can reproduce, fixing gets really hard. Do you use any custom config settings? Move the torrc to a safe location and remerge the package for default config.
I just bumped to 0.2.1.20, maybe you can try that.
(In reply to comment #13) > I just bumped to 0.2.1.20, maybe you can try that. > Tried that, still get this error.. Downgrade to 0.9.8k and it's gone. I believe I didn't modify torrc except enabling bridges. Dec 03 01:05:25.734 [notice] Tor 0.2.1.20 opening log file. Dec 03 01:05:25.735 [notice] Parsing GEOIP file. Dec 03 01:05:26.821 [notice] new bridge descriptor 'mymemorizer' (cached) Dec 03 01:05:26.822 [notice] No current certificate known for authority urras; launching request. Dec 03 01:05:26.822 [notice] Bootstrapped 5%: Connecting to directory server. Dec 03 01:05:26.824 [notice] new bridge descriptor 'dante' (cached) Dec 03 01:05:26.826 [notice] new bridge descriptor 'gpfTOR4b' (cached) Dec 03 01:05:26.829 [notice] We now have enough directory information to build circuits. Dec 03 01:05:26.829 [notice] Bootstrapped 80%: Connecting to the Tor network. Dec 03 01:05:27.685 [notice] Bootstrapped 85%: Finishing handshake with first hop. Dec 03 01:05:30.397 [warn] TLS error: unexpected close while renegotiating Dec 03 01:05:30.438 [warn] TLS error: unexpected close while renegotiating Dec 03 01:05:30.477 [warn] TLS error: unexpected close while renegotiating Dec 03 01:05:32.128 [warn] TLS error: unexpected close while renegotiating Dec 03 01:05:33.517 [warn] TLS error: unexpected close while renegotiating Dec 03 01:05:33.887 [notice] no known bridge descriptors running yet; stalling Dec 03 01:05:33.887 [notice] Our directory information is no longer up-to-date enough to build circuits: No live bridge descriptors. Dec 03 01:08:35.831 [warn] Problem bootstrapping. Stuck at 85%: Finishing handshake with first hop. (Connection timed out; TIMEOUT; count 6; recommendation warn) OK, if still only I have this problem, I will trace into the codes to see what exactly is happening when I have time.
Seeing this issue on net-misc/tor-0.2.1.20 on x86/hardened; it does not happen with 0.2.1.19-r2. Checked the 0.2.1.20 source, and I don't see similar code, so the patch seems to still be necessary.
Please fix net-misc/tor-0.2.1.20 which has freshly reintroduced this bug, commit as -r1 and delete the faulty version.
(In reply to comment #16) > Please fix net-misc/tor-0.2.1.20 which has freshly reintroduced this bug, > commit as -r1 and delete the faulty version. > tor-0.2.1.20 with openssl-0.9.8l-r2 is working fine for me. I have a very basic torrc config: User tor Group tor PIDFile /var/run/tor/tor.pid SocksPort 9050 # what port to open for local application connections SocksListenAddress 127.0.0.1 # accept connections only from localhost Log notice file /var/log/tor/tor.log DataDirectory /var/lib/tor/data
(In reply to comment #17) > (In reply to comment #16) > > Please fix net-misc/tor-0.2.1.20 which has freshly reintroduced this bug, > > commit as -r1 and delete the faulty version. > > > > tor-0.2.1.20 with openssl-0.9.8l-r2 is working fine for me. I have a very > basic torrc config: > > User tor > Group tor > PIDFile /var/run/tor/tor.pid > SocksPort 9050 # what port to open for local application connections > SocksListenAddress 127.0.0.1 # accept connections only from localhost > Log notice file /var/log/tor/tor.log > DataDirectory /var/lib/tor/data > I have the same configuration file as above, but tor does not work for me (amd64 hardened).
Fixed, hopefully.