Opened 3 years ago

Closed 2 years ago

#25353 closed defect (fixed)

Configure fails with some OpenSSL 1.1.0 built with no-deprecated.

Reported by: laomaiweng Owned by: nickm
Priority: Medium Milestone: Tor: 0.3.4.x-final
Component: Core Tor/Tor Version: Tor:
Severity: Normal Keywords: openssl, tor-ssl, 034-triage-20180328, 034-must, compatibility, build, 034-included-20180405
Cc: Actual Points:
Parent ID: #19429 Points: 1
Reviewer: catalyst Sponsor:


On my machine with OpenSSL 1.1.0, Tor's configure script fails to detect OpenSSL and gives me the following error:

configure: Now, we'll look for OpenSSL >= 1.0.1
checking for openssl directory... configure: WARNING: Could not find a linkable openssl.  If you have it installed somewhere unusual, you can specify an explicit path using --with-openssl-dir
configure: error: Missing libraries; unable to proceed.

This seems to be due to the fact that configure checks for OpenSSL >= 1.0.1 with TLSv1_1_method(), which is deprecated in favor of TLS_method() in OpenSSL 1.1.0.
On my configuration of OpenSSL 1.1.0, deprecated functions are not available by default (not without first enabling the OPENSSL_API_COMPAT compatibility #define), hence the failure.

I'd gladly provide a patch, but I'm not sure how this would best be fixed: explicitly check for TLS_method() in case the check for TLSv1_1_method() fails? Replace this test with a test on OPENSSL_VERSION_NUMBER? Find some other function introduced in 1.0.1 and neither removed nor deprecated in 1.1.0?

Child Tickets

Change History (21)

comment:1 Changed 3 years ago by laomaiweng

Parent ID: #19429

comment:2 Changed 3 years ago by teor

Keywords: tor-ssl added; 1.1.0 tlsv1_1_method deprecated removed
Milestone: Tor: unspecifiedTor: 0.3.4.x-final
Severity: MinorNormal

What version of Tor are you trying to build?

comment:3 Changed 3 years ago by laomaiweng

This is against Tor, but I guess Tor's master branch is also affected as it also checks for TLSv1_1_method() in

comment:4 Changed 3 years ago by teor

Keywords: 033-backport 032-backport 031-backport 029-backport added
Points: 1
Version: Tor:

It affects every version since we introduced the TLSv1_1_method() check, which I think was #16034 in

comment:5 Changed 3 years ago by nickm

Keywords: 033-must added

comment:6 Changed 3 years ago by nickm

Owner: set to nickm
Status: newaccepted

comment:7 Changed 3 years ago by nickm

Keywords: 031-backport 029-backport removed
Summary: Configure fails with some OpenSSL 1.1.0Configure fails with some OpenSSL 1.1.0 built with no-deprecated.

This bug appears to be an issue when openssl is built with no-deprecated, and only with Tor 0.3.2 or later.

comment:8 Changed 3 years ago by nickm

One challenge here is that we need to make sure that we do not needlessly break libressl.

comment:9 Changed 3 years ago by nickm

I think we could use "SSL_CIPHER_get_id" here -- it is new in 1.0.1, present in libressl, not deprecated, and actually used by Tor.

comment:10 Changed 3 years ago by nickm

I've had a partial success here.

My branch bug25353_032 replaces the TLSv1_1_method() check with a SSL_CIPHER_get_id() test. (You can see my public repository at .)

The problem here, though, is that this change is not enough to make Tor compile when OpenSSL is built with no-deprecated. Tor uses the following deprecated functions:


The number of functions here makes me think that we should postpone compatibility with no-deprecated OpenSSL until 0.3.4. What do you think?

comment:11 Changed 3 years ago by laomaiweng

Thanks for this work!

I'm well aware of the fact that Tor still won't build against OpenSSL 1.1.0 with no-deprecated even after this ticket is resolved. But I was under the impression that this was not a priority for Tor (see #19429 and particularly comment:4:ticket:19429), though I'd be glad if this position were revised! :)

I reported this ticket as a first step towards no-deprecated compatibility and because TLSv1_1_method() felt wrong to check for in configure, as it wasn't even used anywhere.

If Tor wants to move towards full no-deprecated compatibility, be aware a Gentoo user already offered a patch here: Though the patch was against Tor 0.3.0, I think it still applies fine to Tor 0.3.3.
Other than that, I don't have strong feelings as to what to do next about this ticket, or OpenSSL 1.1.0 no-deprecated compatibility in general. I'll just be happy if it all gets merged/supported eventually.

comment:12 Changed 3 years ago by nickm

Keywords: 033-backport 032-backport 033-must removed

I think maybe we should revisit that choice in 0.3.4, time permitting. This can't be an 033 item, though, since it's pretty solidly a new feature.

Our earlier plan to wait until 1.0.2 is obsolete looks like it won't fly: that's a LTS release, and it won't go away till the end of next year.

comment:13 Changed 3 years ago by nickm

Keywords: 034-triage-20180328 added

comment:14 Changed 3 years ago by nickm

Keywords: 034-removed-20180328 added

Per our triage process, these tickets are pending removal from 0.3.4.

comment:15 Changed 3 years ago by nickm

Keywords: 034-must compatibility build added; 034-removed-20180328 removed

comment:16 Changed 3 years ago by nickm

Keywords: 034-included-20180405 added

comment:17 Changed 3 years ago by nickm

Status: acceptedneeds_review

(See parent ticket -- I have adapted the patch from the gentoo bugtracker above to work on 0.3.4, fixed some other cases of similar problems, and merged it with the work from this ticket.)

comment:18 Changed 2 years ago by dgoulet

Reviewer: catalyst

comment:19 Changed 2 years ago by catalyst

Status: needs_reviewneeds_revision

comment:20 Changed 2 years ago by nickm

merging parent.

comment:21 Changed 2 years ago by nickm

Resolution: fixed
Status: needs_revisionclosed
Note: See TracTickets for help on using tickets.