[Tor-BSD] Base System OpenSSL deficiencies
nanotek at bsdbox.co
Fri Dec 13 03:02:59 EST 2013
I've been parsing through system logs and just finished my daily purge
of Tor's notices. The following entry spawned this email:
[notice] We weren't able to find support for all of the TLS
ciphersuites that we wanted to advertise. This won't hurt security, but
it might make your Tor (if run as a client) more easy for censors to block.
[notice] To correct this, use a more recent OpenSSL, built
without disabling any secure ciphers or features.
I only have the base system install of OpenSSL (0.9.8y). Whereas, the
latest release is 1.0.1e, according to openssl.org, and the ports tree
currently has 1.0.1a available. I did a little research, and upgrading
to the ports release certainly appears desirable and not just for Tor
purposes. However, my research also raises concerns regarding the
possible problems that may arise when transitioning to the ports version
of OpenSSL: due to its many dependencies it may well affect the function
of other services; such as, Apache and Postfix.
There's likely a more appropriate forum for this question in a general
sense -- though, if you feel like offering your suggestions in such a
systemic context, please do -- but, as it pertains to Tor, is it worth
the likely hassle of upgrading to improve the efficacy of Tor as a
relay? Also, as my services run in individual jails, I imagine
performing the upgrade on the actual host would not benefit my relay
running in a jail. However (and this is completely unrelated to Tor),
would at least upgrading the host or a new jail to the ports release
enable me to generate keys and certificates that jail services could
utilize (Apache, Postfix, etc)? Or would the programs not only fail to
take advantage of the improved protocols (TLS 1.1 & 1.2), cipher suites
(ECDSA & ECDHE) and hardened DH parameters made possible, with new(er)
versions of OpenSSL, in the keys and certificates but actually fail to
I apologize if the last (or any) question is inappropriate on this list.
I figure, when I perform the upgrade to the latest security/tor-devel
build, I should update OpenSSL from ports beforehand if it would benefit
my relay and thus my clients. And while at it, completely overhaul
OpenSSL for all my services, if it's not going to be too much work. From
what I've read, it could at least break Apache and make it insanely hard
to even fix.
nanotek at bsdbox.co
More information about the Tor-BSD