[Tor-BSD] Base System OpenSSL deficiencies

nanotek nanotek at bsdbox.co
Fri Dec 13 03:02:59 EST 2013 

I've been parsing through system logs and just finished my daily purge 
of Tor's notices. The following entry spawned this email:

=======================================================
[notice] We weren't able to find support for all of the TLS
ciphersuites that we wanted to advertise. This won't hurt security, but 
it might make your Tor (if run as a client) more easy for censors to block.
[notice] To correct this, use a more recent OpenSSL, built
without disabling any secure ciphers or features.
=======================================================

I only have the base system install of OpenSSL (0.9.8y). Whereas, the 
latest release is 1.0.1e, according to openssl.org, and the ports tree 
currently has 1.0.1a available. I did a little research, and upgrading 
to the ports release certainly appears desirable and not just for Tor 
purposes. However, my research also raises concerns regarding the 
possible problems that may arise when transitioning to the ports version 
of OpenSSL: due to its many dependencies it may well affect the function 
of other services; such as, Apache and Postfix.

There's likely a more appropriate forum for this question in a general 
sense -- though, if you feel like offering your suggestions in such a 
systemic context, please do -- but, as it pertains to Tor, is it worth 
the likely hassle of upgrading to improve the efficacy of Tor as a 
relay? Also, as my services run in individual jails, I imagine 
performing the upgrade on the actual host would not benefit my relay 
running in a jail. However (and this is completely unrelated to Tor), 
would at least upgrading the host or a new jail to the ports release 
enable me to generate keys and certificates that jail services could 
utilize (Apache, Postfix, etc)? Or would the programs not only fail to 
take advantage of the improved protocols (TLS 1.1 & 1.2), cipher suites 
(ECDSA & ECDHE) and hardened DH parameters made possible, with new(er) 
versions of OpenSSL, in the keys and certificates but actually fail to 
even operate?

I apologize if the last (or any) question is inappropriate on this list. 
I figure, when I perform the upgrade to the latest security/tor-devel 
build, I should update OpenSSL from ports beforehand if it would benefit 
my relay and thus my clients. And while at it, completely overhaul 
OpenSSL for all my services, if it's not going to be too much work. From 
what I've read, it could at least break Apache and make it insanely hard 
to even fix.

-- 
nanotek at bsdbox.co

More information about the Tor-BSD mailing list