Loading changes/bug4822 0 → 100644 +13 −0 Original line number Diff line number Diff line o Major security workaround: - When building or running with any version of OpenSSL earlier than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had a bug (CVE-2011-4576) in which their block cipher padding included uninitialized data, potentially leaking sensitive information to any peer with whom they made a SSLv3 connection. Tor does not use SSL v3 by default, but a hostile client or server could force an SSLv3 connection in order to gain information that they shouldn't have been able to get. The best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building or running with a non-upgraded OpenSSL, we should instead make sure that the bug can't happen by disabling SSLv3 entirely. src/common/tortls.c +34 −3 Original line number Diff line number Diff line Loading @@ -64,6 +64,16 @@ #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer") #if (OPENSSL_VERSION_NUMBER < 0x0090813fL || \ (OPENSSL_VERSION_NUMBER >= 0x00909000L && \ OPENSSL_VERSION_NUMBER < 0x1000006fL)) /* This is a version of OpenSSL before 0.9.8s/1.0.0f. It does not have * the CVE-2011-4657 fix, and as such it can't use RELEASE_BUFFERS and * SSL3 safely at the same time. */ #define DISABLE_SSL3_HANDSHAKE #endif /* We redefine these so that we can run correctly even if the vendor gives us * a version of OpenSSL that does not match its header files. (Apple: I am * looking at you.) Loading Loading @@ -739,16 +749,37 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime, result->key = crypto_pk_dup_key(rsa); } #ifdef EVERYONE_HAS_AES /* Tell OpenSSL to only use TLS1 */ #if 0 /* Tell OpenSSL to only use TLS1. This would actually break compatibility * with clients that are configured to use SSLv23_method(), so we should * probably never use it. */ if (!(result->ctx = SSL_CTX_new(TLSv1_method()))) goto error; #else #endif /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */ if (!(result->ctx = SSL_CTX_new(SSLv23_method()))) goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); if ( #ifdef DISABLE_SSL3_HANDSHAKE 1 || #endif SSLeay() < 0x0090813fL || (SSLeay() >= 0x00909000L && SSLeay() < 0x1000006fL)) { /* And not SSL3 if it's subject to CVE-2011-4657. */ log_info(LD_NET, "Disabling SSLv3 because this OpenSSL version " "might otherwise be vulnerable to CVE-2011-4657 " "(compile-time version %08lx (%s); " "runtime version %08lx (%s))", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT, SSLeay(), SSLeay_version(SSLEAY_VERSION)); SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3); } SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE); #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION Loading Loading
changes/bug4822 0 → 100644 +13 −0 Original line number Diff line number Diff line o Major security workaround: - When building or running with any version of OpenSSL earlier than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had a bug (CVE-2011-4576) in which their block cipher padding included uninitialized data, potentially leaking sensitive information to any peer with whom they made a SSLv3 connection. Tor does not use SSL v3 by default, but a hostile client or server could force an SSLv3 connection in order to gain information that they shouldn't have been able to get. The best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building or running with a non-upgraded OpenSSL, we should instead make sure that the bug can't happen by disabling SSLv3 entirely.
src/common/tortls.c +34 −3 Original line number Diff line number Diff line Loading @@ -64,6 +64,16 @@ #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer") #if (OPENSSL_VERSION_NUMBER < 0x0090813fL || \ (OPENSSL_VERSION_NUMBER >= 0x00909000L && \ OPENSSL_VERSION_NUMBER < 0x1000006fL)) /* This is a version of OpenSSL before 0.9.8s/1.0.0f. It does not have * the CVE-2011-4657 fix, and as such it can't use RELEASE_BUFFERS and * SSL3 safely at the same time. */ #define DISABLE_SSL3_HANDSHAKE #endif /* We redefine these so that we can run correctly even if the vendor gives us * a version of OpenSSL that does not match its header files. (Apple: I am * looking at you.) Loading Loading @@ -739,16 +749,37 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime, result->key = crypto_pk_dup_key(rsa); } #ifdef EVERYONE_HAS_AES /* Tell OpenSSL to only use TLS1 */ #if 0 /* Tell OpenSSL to only use TLS1. This would actually break compatibility * with clients that are configured to use SSLv23_method(), so we should * probably never use it. */ if (!(result->ctx = SSL_CTX_new(TLSv1_method()))) goto error; #else #endif /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */ if (!(result->ctx = SSL_CTX_new(SSLv23_method()))) goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); if ( #ifdef DISABLE_SSL3_HANDSHAKE 1 || #endif SSLeay() < 0x0090813fL || (SSLeay() >= 0x00909000L && SSLeay() < 0x1000006fL)) { /* And not SSL3 if it's subject to CVE-2011-4657. */ log_info(LD_NET, "Disabling SSLv3 because this OpenSSL version " "might otherwise be vulnerable to CVE-2011-4657 " "(compile-time version %08lx (%s); " "runtime version %08lx (%s))", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT, SSLeay(), SSLeay_version(SSLEAY_VERSION)); SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3); } SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE); #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION Loading
