Opened 7 years ago

Closed 6 years ago

#6055 closed enhancement (implemented)

Re-enable TLS 1.1 and TLS 1.2 once they are fixed

Reported by: nickm Owned by:
Priority: High Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: ssl openssl tor-relay 024-backport
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

See #6033 for why we needed to disable TLS1.1 and TLS1.2.

We'd like to turn them back on once OpenSSL 1.0.1d comes out with the bugfix. The easiest way to do that will be to make the whole block that disables them conditional on the compile-time OpenSSL version.

Of course, we'll have the obvious problem: many vendors will only partially backport openssl changes, and will not bump the OpenSSL version when they do so. We should see where and how this is a problem: Right now, Ubuntu 12.04 (LTS!? :( ) seems to be the likeliest place for a problem to occur here, since it's shipping a patched 1.0.1 that it calls 1.0.1-4.

If we decide we need to re-enable TLS on these platforms too, here are the options I can think of:

  • Try renegotiation with TLS 1.2 with ourselves at runtime. If that fails, disable TLS 1.1 and TLS 1.2.
  • Have a compile-time or runtime option that tells us that openssl has been fixed.

Child Tickets

Attachments (1)

srt.c (5.1 KB) - added by nickm 7 years ago.
Demo program to test for bug6033

Download all attachments as: .zip

Change History (17)

Changed 7 years ago by nickm

Attachment: srt.c added

Demo program to test for bug6033

comment:1 Changed 7 years ago by nickm

Just attached a self-renegotiation-test program to use BIO_s_mem() try out renegotiation with ourself with and without TLS1.1 and TLS1.2 disabled. This will only work on OpenSSL 1.0.1 and later, but OpenSSL 1.0.1 is the only version exhibiting bug #6033, so that's probably fine.

This is a standalone demo right now; we'd need to incorporate it into Tor. I wouldn't want to do that without more testing with more OpenSSL versions, including whatever version solves #6033.

comment:2 Changed 7 years ago by nickm

Status: newneeds_revision

comment:3 Changed 7 years ago by nickm

Keywords: ssl openssl added
Milestone: Tor: 0.2.3.x-finalTor: 0.2.4.x-final

(It's pretty weird that there hasn't been a new openssl release yet.)

comment:4 Changed 7 years ago by nickm

Keywords: tor-relay added

comment:5 Changed 7 years ago by nickm

Component: Tor RelayTor

comment:6 Changed 6 years ago by nickm

Openssl 1.0.1d came out today.

comment:7 in reply to:  6 ; Changed 6 years ago by tmpname0901

Replying to nickm:

Openssl 1.0.1d came out today.

OpenSSL 1.0.1d is defective. New release is pending.

http://rt.openssl.org/Ticket/Display.html?id=2975

comment:8 in reply to:  7 Changed 6 years ago by nickm

Replying to tmpname0901:

Replying to nickm:

Openssl 1.0.1d came out today.

OpenSSL 1.0.1d is defective. New release is pending.

See also #8179

http://rt.openssl.org/Ticket/Display.html?id=2975

That URL requires a login, with no description of how to get one.

comment:9 Changed 6 years ago by nickm

Milestone: Tor: 0.2.4.x-finalTor: 0.2.5.x-final

Kicking this into 0.2.5. We can move it back if OpenSSL 1.0.1e comes out tomorrow or something and somehow works.

comment:10 Changed 6 years ago by nickm

OpenSSL 1.0.1e came out today. Still thinking it might be clever to defer this to Tor 0.2.5.x.

comment:11 Changed 6 years ago by nickm

Priority: normalmajor

comment:12 Changed 6 years ago by nickm

Status: needs_revisionneeds_review

Minimal fix in branch "bug6055" in my public repository. It does no special testing; it just looks at the version number.

comment:13 Changed 6 years ago by nickm

Keywords: 024-backport added

(The branch is against 0.2.4, just in case)

comment:14 in reply to:  12 Changed 6 years ago by andrea

Replying to nickm:

Minimal fix in branch "bug6055" in my public repository. It does no special testing; it just looks at the version number.

This looks pretty straightforwardly okay to me.

comment:15 Changed 6 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: 0.2.4.x-final

Whoops; I did the patch against release-0.2.4, not maint-0.2.4. I've rebased the patch onto maint-0.2.4 as "bug6055_v2_024."

Merged that into 0.2.5; marking for possible 0.2.4 backport.

comment:16 Changed 6 years ago by nickm

Resolution: implemented
Status: needs_reviewclosed

Merging back to 0.2.4.

Note: See TracTickets for help on using tickets.