Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #13415

Closed (moved)
Open
Opened Oct 15, 2014 by teor@teor

tor fails LibreSSL compiliation and chutney basic

I'm having trouble getting LibreSSL to work with tor git on OS X 10.9.

Configuring

Here are the issues I've found and fixed in the configure invocation:

  • configure --with-openssl-dir= detects the wrong bin/openssl if "$OPENSSL_DIR/bin/openssl" isn't in the path before all other openssl executables.
  • configure --enable-static-openssl requires LDFLAGS="$OPENSSL_DIR/lib":$LDFLAGS to link properly, at least on OS X. I'm pretty sure these issues will affect all (non-system/non-standard) SSLs.

Can we make configuring with non-system SSLs easier by prepending "$OPENSSL_DIR/bin" and "$OPENSSL_DIR/lib" to the PATH and LDFLAGS respectively?

Happy to do the fix, but it may take me some time as I'm not familiar with autoconf scripts.

Testing with Chutney

Once I get tor/LibreSSL to compile, the unit tests pass flawlessly.

But I see the following log entries in chutney clients, which I really don't have any idea how to fix (I'm going to try boringssl next):

[notice] We weren't able to find support for all of the TLS ciphersuites that we wanted to advertise. This won't hurt security, but it might make your Tor (if run as a client) more easy for censors to block. [notice] To correct this, use a version of OpenSSL built with none of its ciphers disabled.

[info] TLS error while handshaking with "127.0.0.1": wrong cipher returned (in SSL routines:SSL3_GET_SERVER_HELLO:SSLv3 read server hello B) [info] int connection_tls_continue_handshake(or_connection_t *)(): tls error [misc error]. breaking connection. [info] void circuit_n_chan_done(channel_t *, int)(): Channel failed; closing circ. [info] void circuit_build_failed(origin_circuit_t *)(): Our circuit died before the first hop with no connection [info] void connection_ap_fail_onehop(const char *, cpath_build_state_t *)(): Closing one-hop stream to '$/127.0.0.1' because the OR conn just failed. [info] void connection_or_note_state_when_broken(or_connection_t *)(): Connection died in state 'handshaking (TLS) with SSL state SSLv3 read server hello B in HANDSHAKE' [info] void control_event_bootstrap_problem(const char *, int, or_connection_t *)(): Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 8; recommendation ignore) [info] 8 connections have failed: [info] 8 connections died in state handshaking (TLS) with SSL state SSLv3 read server hello B in HANDSHAKE

chutney routers are similar, with these extra lines on init:

[info] int crypto_global_init(int, const char *, const char *)(): NOT using OpenSSL engine support. [info] int evaluate_evp_for_aes(int)(): This version of OpenSSL has a known-good EVP counter-mode implementation. Using it. [info] void tor_tls_init()(): OpenSSL LibreSSL 2.0 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation

chutney authorities also include these extras:

[info] or_connection_t *connection_or_connect(const tor_addr_t *, uint16_t, const char *, channel_tls_t *)(): Client asked me to connect to myself. Refusing. [info] void log_unsupported_ciphers(smartlist_t *)(): The unsupported ciphers were: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:AES128-SHA:CAMELLIA128-SHA:AES256-SHA:CAMELLIA256-SHA:DES-CBC3-SHA:RC4-SHA [info] TLS error while handshaking with "127.0.0.1": sslv3 alert illegal parameter (in SSL routines:SSL3_READ_BYTES:SSLv3 read client certificate A)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#13415