Delivery-Date: Mon, 20 Oct 2014 22:43:48 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 6CA071E0946;
	Mon, 20 Oct 2014 22:43:47 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 3D8E1307AD;
	Tue, 21 Oct 2014 02:43:39 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 88B63237FE
 for <tor-talk@lists.torproject.org>; Tue, 21 Oct 2014 02:43:35 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 102RIsMrOmrs for <tor-talk@lists.torproject.org>;
 Tue, 21 Oct 2014 02:43:35 +0000 (UTC)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com
 [IPv6:2a00:1450:4010:c03::22e])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 30DFA22061
 for <tor-talk@lists.torproject.org>; Tue, 21 Oct 2014 02:43:35 +0000 (UTC)
Received: by mail-la0-f46.google.com with SMTP id gi9so219020lab.19
 for <tor-talk@lists.torproject.org>; Mon, 20 Oct 2014 19:43:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:content-type;
 bh=//4AfAMbi18mSD+GMCWpGanA/h29mkqzbORFAbpcPbo=;
 b=JdFFU6UPYL/oB0/LUr6LzDU0GTNEsdRrd1L5xnX+hzNDKWCGJal4AX+Z8iCyT8bi0H
 DSs3+0p8hu/gtaS3AEMDNwXxCzOZXeGFCr2VqlraC6lSpbN6vclCXdxsqvkI/p3hboLJ
 V8NPa/mICWB4Q2w/FL0DbiAoqooGMtBepwMLLixUD7j+mGNuqiBKl63in08339WO8Qz2
 qAF0mRtRLgjb6/4qs2+/EF55BPNK2hrEpxuw0uB/JbekckE604AD/Ks9WtkBFKRNhI/J
 HfJqyHsudFP4kDtjzldFgYY79CLHESa2eTyQjJaFiceG3jBsxTojfDPg0B+vXg2tlGC0
 fp/Q==
MIME-Version: 1.0
X-Received: by 10.153.11.133 with SMTP id ei5mr31396376lad.75.1413859411887;
 Mon, 20 Oct 2014 19:43:31 -0700 (PDT)
Received: by 10.112.14.10 with HTTP; Mon, 20 Oct 2014 19:43:31 -0700 (PDT)
In-Reply-To: <CAKDKvuxb7nJOH9C5YUkD1qCHP+t5xWezZ-6Zf+kxcioaoDa9bQ@mail.gmail.com>
References: <CAKDKvuxb7nJOH9C5YUkD1qCHP+t5xWezZ-6Zf+kxcioaoDa9bQ@mail.gmail.com>
Date: Mon, 20 Oct 2014 22:43:31 -0400
X-Google-Sender-Auth: pYRrp4W7VAyWlSKVmjO9HZCqhhI
Message-ID: <CAKDKvuxyMX18Mm21ytDCq8ugQ3210PE6WT5MyoZZ6Co3hHkj7g@mail.gmail.com>
From: Nick Mathewson <nickm@torproject.org>
To: "tor-talk@lists.torproject.org" <tor-talk@lists.torproject.org>
Subject: [tor-talk] Fwd: Advisory: remote DoS when using Tor with recent
 OpenSSL versions built with the "no-ssl3" option.
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Forwarded from the tor-relays mailing list.

---------- Forwarded message ----------
From: Nick Mathewson <nickm@freehaven.net>
Date: Mon, Oct 20, 2014 at 10:43 PM
Subject: Advisory: remote DoS when using Tor with recent OpenSSL
versions built with the "no-ssl3" option.
To: tor-relays@lists.torproject.org


Hello, relay operators!

There's one important bugfix in the 0.2.5.9-rc release that relay
operators should know about. If you have a version of OpenSSL that
came out last week (like 1.0.1j, 1.0.0, ) and if your version of
openssl is built with the "no-ssl3" flag, then it's possible to crash
your Tor relay remotely if you don't upgrade to 0.2.5.9-rc or to
0.2.4.25 (when that's out).

This appears to be an OpenSSL bug.  The Tor releases in question
contain a workaround for it.

To tell if your version of openssl was built with 'no-ssl3': run
"openssl s_client -ssl3 -connect www.torproject.org:443".  If it gives
you an output beginning with something like:

CONNECTED(00000003)
140632971298688:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140632971298688:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:

then you're fine and you don't need to upgrade Tor on your relay.  But if it
says something that starts like:

unknown option -ssl3
usage: s_client args

then you need to upgrade your Tor.

=== Some questions and answers:

Q: Does this affect clients?
A: No.  Only relays.

Q: Does this affect me if I'm running a version of OpenSSL other than
1.0.1j, 1.0.0o, or 0.9.8zc?
A: No. Only those versions.

Q: Does this affect me if I'm running a version of OpenSSL configured
without the "no-ssl3" option?
A: No. Only versions that were built with the "no-ssl3" option are affected.

Q: Does the openssl team know?
A: Yes. Have a look at this thread.
http://marc.info/?l=openssl-dev&m=141357408522028&w=2 .  Also, before
I saw that thread, I informed them the other day.

Q: Does this affect Tor packages?
A: I don't think that we shipped any packages where we used the
"no-ssl3" flag to diable ssl3.  So only if you're using OpenSSL from
another source (say, your operating system) will you be affected.

Q: What can I do to remediate this problem?
A: You can upgrade to the most recent Tor, or you can use a version of
OpenSSL built without the "no-ssl3" flag.  Downgrading your OpenSSL is
not recommended.

Q: What is the potential impact of this bug?
A: If a relay is affected by this bug, anybody can make the relay exit
remotely. It does not enable any data leaks or remote code execution.
Still, the ability to selectively disable relays might enable a
sophisticated attacker to do some kinds of traffic analysis more
efficiently.  So, fix your relay if it's affected.

Q: Should we run in circles and freak out?
A: Not this time. We should just make sure we fix affected relays.

Q: Hey, Nick, you didn't explain this properly!
A: Please send a follow-up message that explains it better. :)



best wishes,
--
Nick
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

