Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#61623 - [openssl] regression in 1.1.1a breaks tor
Attached to Project:
Arch Linux
Opened by Jon Gjengset (Jonhoo) - Monday, 04 February 2019, 00:29 GMT
Last edited by Jan de Groot (JGC) - Friday, 31 May 2019, 06:51 GMT
Opened by Jon Gjengset (Jonhoo) - Monday, 04 February 2019, 00:29 GMT
Last edited by Jan de Groot (JGC) - Friday, 31 May 2019, 06:51 GMT
|
DetailsDescription:
The release of openssl 1.1.1a breaks tor due to an erroneous backwards-incompatible change in OpenSSL (https://github.com/openssl/openssl/issues/7712). It's been fixed in https://github.com/openssl/openssl/pull/7755, but that fix isn't schedule for a release for another few months. In the meantime, tor fails to establish any connections with: Feb 03 19:23:01 Tor[331]: Unhandled OpenSSL errors found at src/common/buffers_tls.c:65: Feb 03 19:23:01 Tor[331]: TLS error: internal error (in SSL routines:tls13_hkdf_expand:---) Observed with: - openssl 1.1.1.a-1 - tor 0.3.4.9-1 We should probably include https://github.com/openssl/openssl/pull/7755 until a new OpenSSL release is published. |
This task depends upon
Closed by Jan de Groot (JGC)
Friday, 31 May 2019, 06:51 GMT
Reason for closing: Fixed
Additional comments about closing: 1.1.1.b-1
Friday, 31 May 2019, 06:51 GMT
Reason for closing: Fixed
Additional comments about closing: 1.1.1.b-1
Comment by regid (regid1) -
Saturday, 23 February 2019, 21:20 GMT
Was I expected to see that log snippet in the journal when starting tor? tor 0.3.5.8-1 was uploaded a short while ago. With it, and openssl 1.1.1.a-1, there is no such snippet in the journal after tor has started.
Comment by loqs (loqs) -
Saturday, 23 February 2019, 22:06 GMT
https://github.com/torproject/tor/pull/625 the bug is detected and worked around.
Comment by Eli Schwartz (eschwartz) -
Sunday, 24 February 2019, 03:41 GMT
- Field changed: Summary ([openssl] 1.1.1a breaks tor → [openssl] regression in 1.1.1a breaks tor)
- Field changed: Status (Unconfirmed → Assigned)
- Task assigned to Pierre Schmitz (Pierre)
The workaround is to detect the buggy behavior and disable TLS 1.3 entirely, so we'd better backport the fix for openssl instead...