#21152: "connections died in state handshaking (TLS) with SSL state SSLv3" sure
makes it look like we're using SSLv3
--+---
Reporter: arma | Owner:
Type: defect| Status: closed
Priority: Medium| Milestone:
Component: Core Tor/Tor |Version:
Severity: Normal| Resolution: not a bug
Keywords:| Actual Points:
Parent ID:| Points:
Reviewer:|Sponsor:
--+---
Changes (by yawning):
* status: new => closed
* resolution: => not a bug
Comment:
> So, are the handshakes using SSLv3, or are they not? :)
OpenSSL prior to 1.1.0 uses `ssl3_connect()` to do the actual connection
work, even if you are using TLS (See: `ssl/t1_clnt.c`). OpenSSL 1.1.0 and
later renames and refactors everything, and will display `SSLv3/TLS read
server certificate` here instead.
> I assume this is just a cosmetic issue where SSL_state_string_long()
lies to us.
Indeed. And there's nothing we can do about it.
> But who knows, maybe there is something deeper going on?
{{{
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
}}}
If people are really worried, they can gather a pcap containing the
ClientHello and look at the version while keeping in mind Appendix E of
the RFC.
Since this is cosmetic, OpenSSL's fault, and fixed in newer OpenSSL, I'm
going to close this. Reopen it once someone produces a pcap displaying
horrifyingly wrong behavior.
--
Ticket URL:
Tor Bug Tracker & Wiki
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
