FS#61623 - [openssl] regression in 1.1.1a breaks tor
Attached to Project:
Arch Linux
Opened by Jon Gjengset (Jonhoo) - Monday, 04 February 2019, 00:29 GMT
Last edited by Jan de Groot (JGC) - Friday, 31 May 2019, 06:51 GMT
Opened by Jon Gjengset (Jonhoo) - Monday, 04 February 2019, 00:29 GMT
Last edited by Jan de Groot (JGC) - Friday, 31 May 2019, 06:51 GMT
|
Details
Description:
The release of openssl 1.1.1a breaks tor due to an erroneous backwards-incompatible change in OpenSSL (https://github.com/openssl/openssl/issues/7712). It's been fixed in https://github.com/openssl/openssl/pull/7755, but that fix isn't schedule for a release for another few months. In the meantime, tor fails to establish any connections with: Feb 03 19:23:01 Tor[331]: Unhandled OpenSSL errors found at src/common/buffers_tls.c:65: Feb 03 19:23:01 Tor[331]: TLS error: internal error (in SSL routines:tls13_hkdf_expand:---) Observed with: - openssl 1.1.1.a-1 - tor 0.3.4.9-1 We should probably include https://github.com/openssl/openssl/pull/7755 until a new OpenSSL release is published. |
This task depends upon
Closed by Jan de Groot (JGC)
Friday, 31 May 2019, 06:51 GMT
Reason for closing: Fixed
Additional comments about closing: 1.1.1.b-1
Friday, 31 May 2019, 06:51 GMT
Reason for closing: Fixed
Additional comments about closing: 1.1.1.b-1
Comment by regid (regid1) -
Saturday, 23 February 2019, 21:20 GMT
Was I expected to see that log snippet in the journal when
starting tor? tor 0.3.5.8-1 was uploaded a short while ago. With
it, and openssl 1.1.1.a-1, there is no such snippet in the journal
after tor has started.
Comment by loqs (loqs) - Saturday,
23 February 2019, 22:06 GMT
https://github.com/torproject/tor/pull/625
the bug is detected and worked around.
Comment by
Eli Schwartz (eschwartz) - Sunday,
24 February 2019, 03:41 GMT
- Field changed: Summary ([openssl] 1.1.1a breaks tor → [openssl] regression in 1.1.1a breaks tor)
- Field changed: Status (Unconfirmed → Assigned)
- Task assigned to Pierre Schmitz (Pierre)
The workaround is to detect the buggy behavior and disable TLS 1.3
entirely, so we'd better backport the fix for openssl instead...