Opened 9 months ago

Closed 9 months ago

#21152 closed defect (not a bug)

"connections died in state handshaking (TLS) with SSL state SSLv3" sure makes it look like we're using SSLv3

Reported by: arma Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

A user on #tor pointed out:

Jan 05 13:52:18.000 [warn]  158 connections died in state handshaking (TLS) with SSL state SSLv3 read server certificate B in HANDSHAKE

Yet the ChangeLog for Tor 0.2.5.9-rc says:

    - Disable support for SSLv3. All versions of OpenSSL in use with Tor
      today support TLS 1.0 or later, so we can safely turn off support
      for this old (and insecure) protocol. Fixes bug 13426.

So, are the handshakes using SSLv3, or are they not? :)

I assume this is just a cosmetic issue where SSL_state_string_long() lies to us. But who knows, maybe there is something deeper going on?

Child Tickets

Change History (1)

comment:1 Changed 9 months ago by yawning

Resolution: not a bug
Status: newclosed

So, are the handshakes using SSLv3, or are they not? :)

OpenSSL prior to 1.1.0 uses ssl3_connect() to do the actual connection work, even if you are using TLS (See: ssl/t1_clnt.c). OpenSSL 1.1.0 and later renames and refactors everything, and will display SSLv3/TLS read server certificate here instead.

I assume this is just a cosmetic issue where SSL_state_string_long() lies to us.

Indeed. And there's nothing we can do about it.

But who knows, maybe there is something deeper going on?

  SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
  SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);

If people are really worried, they can gather a pcap containing the ClientHello and look at the version while keeping in mind Appendix E of the RFC.

Since this is cosmetic, OpenSSL's fault, and fixed in newer OpenSSL, I'm going to close this. Reopen it once someone produces a pcap displaying horrifyingly wrong behavior.

Note: See TracTickets for help on using tickets.