Opened 10 years ago

Last modified 8 years ago

#1252 closed defect (Fixed) deb can't do tls renegotiation

Reported by: arma Owned by: weasel
Priority: Low Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: arma, phobos, Sebastian, nickm, erinn Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


zzz_> Hello, I am using Debian Sid with Tor and Vidalia 0.2.7. When
I try to connect to the Tor network, Vidalia shows this error: [Warning] TLS
error: unexpected close while renegotiating. Is this is a known problem?

zzz_: are you using tor as a client, and it's failing?

zzz_> arma: Yes, I am running as a client only. It has started to give this
error very recently.
zzz_> arma: Actually the Debian changelog might give us a hint:

See also which is another
person reporting this problem.

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (12)

comment:1 Changed 10 years ago by arma

weasel> - + if (version >= 0x009080c0L && version < 0x009080d0L) {
weasel> + + if (version >= 0x009080b0L && version < 0x009080d0L) {
weasel> or something like that'll probably fix it

is that something that should go into tor, or just into deb?

weasel> helix: you aren't on 0.9.8k broken by openssh upstream and the debian
weasel> armadev: good question. I wonder why we don't just re-enable it on
all versions of libssl
weasel> at least that didn't cause any ill-effects when I had tested things

weasel> I'll hopefully just have to figure out what libssl version 0.9.8k-6
is internally and change the code in tor
weasel> that change could go upstream, so people can build working tors from
source on debian.

is this because tor detects the openssl version and acts based on it, and

debian lies about its openssl version because it backported stuff without
changing the version number?
weasel> yes.

comment:2 Changed 10 years ago by arma

comment:3 Changed 10 years ago by nickm

arma: as for why we don't enable it uncondtionally: see the comment in tor_tls_init().

Basically, the two choices (the flag and the option) are both version-dependent: setting the flag everywhere
will break openssl 1.0.x and later (which use that flag to mean something else), and setting the option
everywhere will break some pre-openssl-0.9.8m versions (which use that code to mean something else.

comment:4 Changed 10 years ago by arma

Nickm: does it hurt to set the flag on all versions less than 0x009080d0L ?

Debian is not going to be the only place whose openssl lies about its openssl version.

comment:5 Changed 10 years ago by nickm

Hm. I'll have a look through my Directory of OpenSSL Releases and come up with an answer.

comment:6 Changed 10 years ago by nickm

Okay, it looks like the flag wasn't reused until OpenSSL 1.0.3-beta, where it means "TLS1_FLAGS_SKIP_CERT_VERIFY."

See set_ssl3_flag in my public repo.

comment:7 Changed 10 years ago by Sebastian

That has a pretty obvious compile error:

cc1: warnings being treated as errors
tortls.c: In function 'tor_tls_init':
tortls.c:371: warning: too few arguments for format

suggested fix in set_ssl3_flag in my repo.

comment:8 Changed 10 years ago by Sebastian

What I forgot to mention: Building the OS X Tor package (including backwards
compatibility for Tiger) results in a Tor that works on 10.6 with that patch.

comment:9 Changed 10 years ago by nickm

Great; I've merged this into both active branches.

comment:10 Changed 10 years ago by arma

I'm going to call this one all fixed. Re-open it if I'm wrong.

comment:11 Changed 10 years ago by arma

flyspray2trac: bug closed.

comment:12 Changed 8 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.