Opened 14 months ago

Last modified 13 months ago

#23232 needs_information enhancement

misleading log message related to used SSL vendor

Reported by: toralf Owned by:
Priority: Low Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.3.1.5-alpha
Severity: Trivial Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

At a stable Gentoo Linux with LibreSSL I do get :

We were built to run on a 64-bit CPU, with OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks accelerated support for the NIST P-224 and P-256 groups. Building openssl with such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) would make ECDH much faster.

That hint is however not applicable to LibreSSL, isn't it ?

Child Tickets

Change History (5)

comment:1 Changed 13 months ago by nickm

Is it? I don't know if it is. Does LibreSSL always include the fast ecdh implementation, or never include it, or something else?

comment:2 Changed 13 months ago by dgoulet

Milestone: Tor: unspecified
Status: newneeds_information

comment:3 Changed 13 months ago by yawning

Resolved #23448 as a duplicate.

comment:4 Changed 13 months ago by svengo

Why should LibreSSL include more than one ECDH implementation? It is an OpenSSL specific option so the warning should only appear if tor is using OpenSSL.

LibreSSL offers the following optional features (excerpt from ./configure --help):

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-silent-rules   less verbose build output (undo: "make V=1")
  --disable-silent-rules  verbose build output (undo: "make V=0")
  --enable-dependency-tracking
                          do not reject slow dependency extractors
  --disable-dependency-tracking
                          speeds up one-time build
  --enable-shared[=PKGS]  build shared libraries [default=yes]
  --enable-static[=PKGS]  build static libraries [default=yes]
  --enable-fast-install[=PKGS]
                          optimize for fast installation [default=yes]
  --disable-libtool-lock  avoid locking (might break parallel builds)
  --enable-nc             Enable installing TLS-enabled nc(1)
  --disable-hardening     Disable options to frustrate memory corruption
                          exploits
  --enable-windows-ssp    Enable building the stack smashing protection on
                          Windows. This currently distributing libssp-0.dll.
  --enable-extratests     Enable extra tests that may be unreliable on some
                          platforms
  --disable-asm           Disable assembly

comment:5 Changed 13 months ago by yawning

Why should LibreSSL include more than one ECDH implementation?

Ask the LibreSSL developers that question, they ship several.

As far as I can tell, if the tor warning message is getting displayed on a LibreSSL system, the library isn't using any of the fast EC implementations that are present in the source tree (agl's or Gueron/Krasnov's).

https://github.com/libressl-portable/openbsd/tree/master/src/lib/libcrypto/ec

Note: See TracTickets for help on using tickets.