Apple workaround for openssl issues on OS X 10.5 and 10.6

Apple responded to my bug report about a broken openssl. I've since built test packages for OS X 10.5 and 10.6 users. Their response is:

Thank you for your report of this issue with Tor.

The issue you're seeing is because the current versions of the development tools were created before the OpenSSL security fix, and so do not include the "SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION" definition in the OpenSSL headers.

You can work around this issue by supplying the definition to Tor directly, for example by compiling Tor using

CPPFLAGS='-DSSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION=0x0010' ./configure && make

This will work on both Leopard and Snow Leopard.

If you have an Intel (i386) Mac, use the normal i386 packages for Tor 0.2.2.8-alpha release at https://www.torproject.org/download.

If you have a PowerPC (ppc) Mac AND are running OS X 10.5 or 10.6, use these packages:

Tor Expert: https://www.torproject.org/dist/osx-old/Tor-0.2.2.8-alpha-i386-10.5-10… and .asc.

Vidalia Bundle: https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle-0.2.2.8-… and .asc.

If you have a PowerPC (ppc) Mac AND ARE running OS X 10.3 or 10.4, use the normal ppc packages at https://www.torproject.org/download.

This can be confusing. I now maintain two different PowerPC packages. One set for pre-10.5 and one set for 10.5 and later OS X versions. This is because Apple didn't update 10.3 nor 10.4 for the openssl bug.

khled.8@hotmai.com

February 01, 2010

Permalink

Maybe it's the wrong place here, but since you are talking about the Mac:
I'd really love to see the old "tor mac expert package" again.

In former times the "expert package" included a launch script (/Library/StartupItems/Tor/tor) and also Privoxy with a launchscript (/Library/StartupItems/Privoxy/privoxy). This was such a wonderful package which just worked "in the background" - ready for action with any SOCKS compliant application or via Torbutton.

The Vidalia Packages are unfortunately a pain in the a.. - and even worse I didn't archive the old startupItem scripts (otherwise i'd build the package myself).

Please consider distribution the "expert package" like it was "in former times" again.
Vidalia sucks :-)

khled.8@hotmai.com

February 01, 2010

Permalink

It doesn't work. Tor 0.2.2.8-alpha crashes immediately after launch. I have Qt SDK 201001 installed on my Mac, is this the cause?

khled.8@hotmai.com

February 02, 2010

Permalink

Thread 0 Crashed: Dispatch queue: com.apple.main-thread
0 QtCore 0x012a8d07 QObject::moveToThread(QThread*) + 39
1 QtCore 0x0129987f QFactoryLoader::instance(QString const&) const + 303
2 QtGui 0x00605e76 createReadHandlerHelper(QIODevice*, QByteArray const&, bool, bool) + 1814
3 QtGui 0x00607175 QImageReaderPrivate::initHandler() + 773
4 QtGui 0x00607b68 QImageReader::read(QImage*) + 1240
5 QtGui 0x00607f59 QImageReader::read() + 41
6 QtGui 0x0061c06f QPixmapData::fromFile(QString const&, char const*, QFlags) + 63
7 QtGui 0x00617d75 QPixmap::load(QString const&, char const*, QFlags) + 1157
8 QtGui 0x00618295 QPixmap::QPixmap(QString const&, char const*, QFlags) + 149
9 net.vidalia-project.vidalia 0x000c70f9 Ui_MainWindow::setupUi(QMainWindow*) + 3403
10 net.vidalia-project.vidalia 0x000bf905 MainWindow::MainWindow() + 253
11 net.vidalia-project.vidalia 0x000b26dc main + 1952
12 net.vidalia-project.vidalia 0x00007252 _start + 216
13 net.vidalia-project.vidalia 0x00007179 start + 41

khled.8@hotmai.com

February 03, 2010

Permalink

I installed the new security updates. Installed 0.2.2.8-alpha release and its tor buttons too. Still doesn't work, "The proxy server is refusing connections" message.

khled.8@hotmai.com

February 03, 2010

Permalink

I cant compile 0.2.2.8 on windows. I get the following error.

"""
x:/MinGW/extend/local/ssl/lib/libssl.a(s3_srvr.o):s3_srvr.c:(.text+0x20fb): undefined reference to `_ECDH_compute_key'

x:/MinGW/extend/local/ssl/lib/libssl.a(s3_srvr.o):s3_srvr.c:(.text+0x2384): undefined reference to `_X509_certificate_type'

collect2: ld returned 1 exit status
make[3]: *** [tor.exe] Error 1
"""

:-S

Does anyone have any ideas ? This is with openssl 0.9.8l, which worked fine with tor 0.2.2.7.

Im stumped....

What version of openssl is used to compile tor 0.2.2.8 ?

Hi,
It's not about this subject, but i don't how can i send this notification.
I'm an new user of tor in Iran and today in "view the network" button of vidalia, i have saw someone relays traffic from Iran.
213/207.223.74
because of the lots of filters and traffics analysis from government, I'm not sure it's can be helpful and can cause some dangers OR it can be an dump connection that collect data and information about encryption s and protocols uses by tor to destroy connections from Iran.
I'm not sure but i just want to send an notification.
thank you tor for helping freedom in Iran.

I'm not surprised, the Cuban robberlutionary dis-government (i.e. murderous tyranny) is worse than the tyranny in Iran, good luck to you freedom loving Iranian people, you're at the cusp of regaining your lost freedoms, do not trust the Americans though, the plutocracy in power in the USA will stab you in the back at any opportunity, you would not be the first or the last to be betrayed by them.

normal wersion not working, alpha 2.2.8 connecto to tor net.

Many thanks (10.5.8 intel)

Mac OS X 10.6 (intel)
Status: Working

I felt so...naked before.

Many thanks!

Hi, Does anyone have a hint for the following problem, please? (Have 0.2.2.8-alpha bundle installed + included version of Torbutton, together with Firefox 3.6 and OS 10.6.2 intel):

Vidalia connects to Tor network, but using Firefox with Torbutton enabled returns "The proxy server is refusing connections". Have tried out a couple of different proxy settings and searched various related blogs. Really don't know what else I could try. Many thanks in advance for any ideas!

P.S.: Forgot to add that everything worked neatly before the openssl issue; so I reckon the problem must have to do with one of the modified components... Thanks!

thanks, so far so good! appreciate your work :)

I have two Macs, both are intel and both are running the latest patched version of 10.6. I followed the instructions on both. On the iMac, TOR works fine. On the MacBook, I get an error message:
Feb 10 20:28:24.630 [Notice] Tor v0.2.2.8-alpha (git-ff88bc7db8edeb29). This is experimental software. Do not rely on it for strong anonymity. (Running on Darwin i386)

Feb 10 20:28:24.631 [Notice] Initialized libevent version 1.4.13-stable using method kqueue. Good.

Feb 10 20:28:24.631 [Notice] Opening Socks listener on 127.0.0.1:9050

Feb 10 20:28:24.632 [Warning] Could not bind to 127.0.0.1:9050: Address already in use. Is Tor already running?

Feb 10 20:28:24.632 [Warning] Failed to parse/validate config: Failed to bind one of the listener ports.

Feb 10 20:28:24.632 [Error] Reading config failed--see warnings above.

I'm a novice Tor user. I am running Tor on a MacBook Pro (Intel Core 2 duo). After a long period of running Tor without difficulty, I started receiving the same error message reported in the message strings above:

Feb 10 23:46:50.106 [Notice] Tor v0.2.1.22. This is experimental software. Do not rely on it for strong anonymity. (Running on Darwin i386)
Feb 10 23:46:50.107 [Notice] Initialized libevent version 1.4.13-stable using method kqueue. Good.
Feb 10 23:46:50.107 [Notice] Opening Socks listener on 127.0.0.1:9050
Feb 10 23:46:50.107 [Notice] Opening Control listener on 127.0.0.1:9051
Feb 10 23:46:50.534 [Notice] Bootstrapped 10%: Finishing handshake with directory server.
Feb 10 23:46:50.750 [Warning] TLS error: unexpected close while renegotiating
Feb 10 23:46:50.751 [Notice] No current certificate known for authority moria1; launching request.
Feb 10 23:46:50.751 [Notice] No current certificate known for authority gabelmoo; launching request.
Feb 10 23:46:50.751 [Notice] No current certificate known for authority dannenberg; launching request.
Feb 10 23:47:20.823 [Warning] TLS error: unexpected close while renegotiating

From the blog post above, it appears there's a solution to this problem. But I don't know how to "supply the definition to Tor directly, for example by compiling Tor using CPPFLAGS='-DSSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION=0x0010' ./configure && make"

Can anyone explain to a newbie how to apply this fix? Or is TorProject coming out with a new release to address it?

I believe they meant to say:

CPPFLAGS="$CPPFLAGS -DSSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION=0x0010" ./configure && make

No reason to blow away your old CPPFLAGS...

I want to help Iranian people and other open a relay but on osx 10.6.2 vidalia crash........

and precisely wtf has this to do with tor i wonder ?

So has anyone noticed that the latest workaround for OS 10.6 doesn't seem to be working on laptops?

It doesn't work for me either.
Intel Macbook, Mac OS 10.5.8, latest updates...

Feb 14 21:07:43.564 [Warning] TLS error: unexpected close while renegotiating
Feb 14 21:07:43.572 [Notice] No current certificate known for authority dannenberg; launching request.
Feb 14 21:08:43.119 [Notice] No current certificate known for authority dannenberg; launching request.
Feb 14 21:08:43.273 [Warning] TLS error: unexpected close while renegotiating
Feb 14 21:09:44.300 [Warning] TLS error: unexpected close while renegotiating

Same here
TLS error: unexpected close while renegotiating

Worked fine last week, but from this weekend on ... nothing.
at least noticed it this weekend first.

thanks!

I'm having some difficulty here. I downloaded the file as advised above and keep getting the following errors to the point it won't even start up:

Feb 15 21:48:59.430 [Notice] Tor v0.2.2.8-alpha (git-ff88bc7db8edeb29). This is experimental software. Do not rely on it for strong anonymity. (Running on Darwin Power Macintosh)
Feb 15 21:48:59.436 [Notice] Initialized libevent version 1.4.13-stable using method kqueue. Good.
Feb 15 21:48:59.438 [Notice] Opening Socks listener on 127.0.0.1:9050
Feb 15 21:48:59.439 [Notice] Opening Control listener on 127.0.0.1:9050
Feb 15 21:48:59.441 [Warning] Could not bind to 127.0.0.1:9050: Address already in use. Is Tor already running?
Feb 15 21:48:59.442 [Notice] Closing partially-constructed listener Socks listener on 127.0.0.1:9050
Feb 15 21:48:59.444 [Warning] Failed to parse/validate config: Failed to bind one of the listener ports.
Feb 15 21:48:59.445 [Error] Reading config failed--see warnings above.

If I change the port it connects but other applications won't work it's almost like it's causing dual problems. How can I fix this?

This worked for a while, but as of Feb. 15 I am getting an error message: Reading config failed. Also, Little Snitch is telling me that TOR is trying to use the internet even when the app isn't running. What's up with that?

Highly suspect. Is something else starting Tor for you?

I have the same problem... feb 18 00:49:41.118 [Warning] TLS error: unexpected close while renegotiating... tor doesn't work... please help me... I'm a newbie... how can I fix the problem!?!?

The latest 0.2.1.23 version of tor works fine, see https://torproject.org/easy-download.

Hej,

I had the same problem. So I downloaded the mentioned package and it worked. No problem. But the next start of Vidalia I get a new error:
Could not bind to 127.0.0.1:9050: Address already in use. Is Tor already running?

Any solution for this?

Still not working with either 0.2.1.23 or 0.2.2.28-alpha on 10.6.2. Same "TLS error: unexpected close while renegotiating". HELP!

yes i confirm the same error with the same setup.

Thanks for fixing Tor for OSX; 2.2.8 works like a charm and I am once again able to act as relay.
(OSX 10.6.2 on @G Core Duo)

what about version of openssl can i safely upgrade 10.5.8 ppc ?

it compiled right out of the box ./config --prefix=/usr

is there any dangers of doing that ?
-j

Apr 14 21:54:55.976 [Notice] Tor v0.2.1.30. This is experimental software. Do not rely on it for strong anonymity. (Running on Darwin i386)
Apr 14 21:54:55.999 [Notice] Initialized libevent version 1.4.13-stable using method kqueue. Good.
Apr 14 21:54:56.000 [Notice] Opening Socks listener on 127.0.0.1:9050
Apr 14 21:54:56.000 [Notice] Opening Control listener on 127.0.0.1:9051
Apr 14 21:54:56.024 [Notice] Parsing GEOIP file.
Apr 14 21:54:56.420 [Notice] OpenSSL OpenSSL 0.9.8p 16 Nov 2010 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Apr 14 21:54:58.504 [Notice] We now have enough directory information to build circuits.
Apr 14 21:54:58.505 [Notice] Bootstrapped 80%: Connecting to the Tor network.
Apr 14 21:54:58.505 [Notice] Bootstrapped 85%: Finishing handshake with first hop.
Apr 14 21:54:59.076 [Notice] Bootstrapped 90%: Establishing a Tor circuit.
Apr 14 21:55:00.044 [Notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Apr 14 21:55:00.045 [Notice] Bootstrapped 100%: Done.
Apr 14 21:55:00.488 [Notice] Our directory information is no longer up-to-date enough to build circuits: We have only 0/2309 usable descriptors.
Apr 14 21:55:00.488 [Notice] I learned some more directory information, but not enough to build a circuit: We have only 0/2309 usable descriptors.
Apr 14 21:55:02.870 [Notice] I learned some more directory information, but not enough to build a circuit: We have only 5/2309 usable descriptors.
Apr 14 21:55:03.577 [Notice] I learned some more directory information, but not enough to build a circuit: We have only 101/2309 usable descriptors.
Apr 14 21:55:03.730 [Notice] I learned some more directory information, but not enough to build a circuit: We have only 197/2309 usable descriptors.
Apr 14 21:55:03.731 [Notice] I learned some more directory information, but not enough to build a circuit: We have only 293/2309 usable descriptors.
Apr 14 21:55:03.959 [Notice] I learned some more directory information, but not enough to build a circuit: We have only 389/2309 usable descriptors.
Apr 14 21:55:03.960 [Notice] I learned some more directory information, but not enough to build a circuit: We have only 485/2309 usable descriptors.
Apr 14 21:55:03.960 [Notice] We now have enough directory information to build circuits.
Apr 14 23:54:32.187 [Notice] We stalled too much while trying to write 235458 bytes to address [scrubbed]. If this happens a lot, either something is wrong with your network connection, or something is wrong with theirs. (fd 15, type Socks, state 11, marked at connection_edge.c:93).
what does this mean and how do i fix this?