Opened 3 years ago

Last modified 3 years ago

#23232 needs_information enhancement

misleading log message related to used SSL vendor

Reported by: toralf Owned by:
Priority: Low Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor:
Severity: Trivial Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


At a stable Gentoo Linux with LibreSSL I do get :

We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated support for the NIST P-224 and P-256 groups. Building openssl with such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make ECDH much faster.

That hint is however not applicable to LibreSSL, isn't it ?

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by nickm

Is it? I don't know if it is. Does LibreSSL always include the fast ecdh implementation, or never include it, or something else?

comment:2 Changed 3 years ago by dgoulet

Milestone: Tor: unspecified
Status: newneeds_information

comment:3 Changed 3 years ago by yawning

Resolved #23448 as a duplicate.

comment:4 Changed 3 years ago by svengo

Why should LibreSSL include more than one ECDH implementation? It is an OpenSSL specific option so the warning should only appear if tor is using OpenSSL.

LibreSSL offers the following optional features (excerpt from ./configure --help):

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-silent-rules   less verbose build output (undo: "make V=1")
  --disable-silent-rules  verbose build output (undo: "make V=0")
                          do not reject slow dependency extractors
                          speeds up one-time build
  --enable-shared[=PKGS]  build shared libraries [default=yes]
  --enable-static[=PKGS]  build static libraries [default=yes]
                          optimize for fast installation [default=yes]
  --disable-libtool-lock  avoid locking (might break parallel builds)
  --enable-nc             Enable installing TLS-enabled nc(1)
  --disable-hardening     Disable options to frustrate memory corruption
  --enable-windows-ssp    Enable building the stack smashing protection on
                          Windows. This currently distributing libssp-0.dll.
  --enable-extratests     Enable extra tests that may be unreliable on some
  --disable-asm           Disable assembly

comment:5 Changed 3 years ago by yawning

Why should LibreSSL include more than one ECDH implementation?

Ask the LibreSSL developers that question, they ship several.

As far as I can tell, if the tor warning message is getting displayed on a LibreSSL system, the library isn't using any of the fast EC implementations that are present in the source tree (agl's or Gueron/Krasnov's).

Note: See TracTickets for help on using tickets.