GitLab

I'm having trouble getting LibreSSL to work with tor git on OS X 10.9.

Configuring

Here are the issues I've found and fixed in the configure invocation:

• configure --with-openssl-dir= detects the wrong bin/openssl if "$OPENSSL_DIR/bin/openssl" isn't in the path before all other openssl executables.
• configure --enable-static-openssl requires LDFLAGS="$OPENSSL_DIR/lib":$LDFLAGS to link properly, at least on OS X. I'm pretty sure these issues will affect all (non-system/non-standard) SSLs.

Can we make configuring with non-system SSLs easier by prepending "$OPENSSL_DIR/bin" and "$OPENSSL_DIR/lib" to the PATH and LDFLAGS respectively?

Happy to do the fix, but it may take me some time as I'm not familiar with autoconf scripts.

Testing with Chutney

Once I get tor/LibreSSL to compile, the unit tests pass flawlessly.

But I see the following log entries in chutney clients, which I really don't have any idea how to fix (I'm going to try boringssl next):

[notice] We weren't able to find support for all of the TLS ciphersuites that we wanted to advertise. This won't hurt security, but it might make your Tor (if run as a client) more easy for censors to block. [notice] To correct this, use a version of OpenSSL built with none of its ciphers disabled.

[info] TLS error while handshaking with "127.0.0.1": wrong cipher returned (in SSL routines:SSL3_GET_SERVER_HELLO:SSLv3 read server hello B) [info] int connection_tls_continue_handshake(or_connection_t *)(): tls error [misc error]. breaking connection. [info] void circuit_n_chan_done(channel_t *, int)(): Channel failed; closing circ. [info] void circuit_build_failed(origin_circuit_t *)(): Our circuit died before the first hop with no connection [info] void connection_ap_fail_onehop(const char *, cpath_build_state_t *)(): Closing one-hop stream to '$/127.0.0.1' because the OR conn just failed. [info] void connection_or_note_state_when_broken(or_connection_t *)(): Connection died in state 'handshaking (TLS) with SSL state SSLv3 read server hello B in HANDSHAKE' [info] void control_event_bootstrap_problem(const char *, int, or_connection_t *)(): Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 8; recommendation ignore) [info] 8 connections have failed: [info] 8 connections died in state handshaking (TLS) with SSL state SSLv3 read server hello B in HANDSHAKE

chutney routers are similar, with these extra lines on init:

[info] int crypto_global_init(int, const char *, const char *)(): NOT using OpenSSL engine support. [info] int evaluate_evp_for_aes(int)(): This version of OpenSSL has a known-good EVP counter-mode implementation. Using it. [info] void tor_tls_init()(): OpenSSL LibreSSL 2.0 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation

chutney authorities also include these extras:

[info] or_connection_t *connection_or_connect(const tor_addr_t *, uint16_t, const char *, channel_tls_t *)(): Client asked me to connect to myself. Refusing. [info] void log_unsupported_ciphers(smartlist_t *)(): The unsupported ciphers were: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:AES128-SHA:CAMELLIA128-SHA:AES256-SHA:CAMELLIA256-SHA:DES-CBC3-SHA:RC4-SHA [info] TLS error while handshaking with "127.0.0.1": sslv3 alert illegal parameter (in SSL routines:SSL3_READ_BYTES:SSLv3 read client certificate A)