[Tor-BSD] Base System OpenSSL deficiencies
Carlo Strub
cs at FreeBSD.org
Mon Dec 16 03:47:31 EST 2013
13/12/2013 10:38 - nanotek wrote:
> I've been parsing through system logs and just finished my daily purge
> of Tor's notices. The following entry spawned this email:
>
> =======================================================
> [notice] We weren't able to find support for all of the TLS
> ciphersuites that we wanted to advertise. This won't hurt security, but
> it might make your Tor (if run as a client) more easy for censors to block.
> [notice] To correct this, use a more recent OpenSSL, built
> without disabling any secure ciphers or features.
> =======================================================
>
> I only have the base system install of OpenSSL (0.9.8y). Whereas, the
> latest release is 1.0.1e, according to openssl.org, and the ports tree
> currently has 1.0.1a available. I did a little research, and upgrading
> to the ports release certainly appears desirable and not just for Tor
> purposes. However, my research also raises concerns regarding the
> possible problems that may arise when transitioning to the ports version
> of OpenSSL: due to its many dependencies it may well affect the function
> of other services; such as, Apache and Postfix.
>
> There's likely a more appropriate forum for this question in a general
> sense -- though, if you feel like offering your suggestions in such a
> systemic context, please do -- but, as it pertains to Tor, is it worth
> the likely hassle of upgrading to improve the efficacy of Tor as a
> relay? Also, as my services run in individual jails, I imagine
> performing the upgrade on the actual host would not benefit my relay
> running in a jail. However (and this is completely unrelated to Tor),
> would at least upgrading the host or a new jail to the ports release
> enable me to generate keys and certificates that jail services could
> utilize (Apache, Postfix, etc)? Or would the programs not only fail to
> take advantage of the improved protocols (TLS 1.1 & 1.2), cipher suites
> (ECDSA & ECDHE) and hardened DH parameters made possible, with new(er)
> versions of OpenSSL, in the keys and certificates but actually fail to
> even operate?
>
> I apologize if the last (or any) question is inappropriate on this list.
> I figure, when I perform the upgrade to the latest security/tor-devel
> build, I should update OpenSSL from ports beforehand if it would benefit
> my relay and thus my clients. And while at it, completely overhaul
> OpenSSL for all my services, if it's not going to be too much work. From
> what I've read, it could at least break Apache and make it insanely hard
> to even fix.
>
> --
> nanotek at bsdbox.co
> _______________________________________________
> A list focused on porting and running Tor software on *BSD Unix
> Tor-BSD mailing list
> Tor-BSD at nycbug.org
> http://www.nycbug.org/mailman/listinfo/tor-bsd
>
FreeBSD 10 will come with an updated version of OpenSSL. So, I would wait for this upgrade to come and then upgrade your host system and all jails. However, if you install OpenSSL from ports there is also no problem at all (both versions can live together). Btw. to take advantage of the ports version, it is not sufficient to install it on the host only. Every jail needs to have it installed.
Honestly, I would not bother at all and leave your system as it is. Just make sure, you are always on the latest version of host, jails, and ports.
Cheers,
C
More information about the Tor-BSD
mailing list