> Tor is not vulnerable to the attack when used with the broken OpenSSL, > but the patch stops it from working correctly as described in the > above thread. The issue is fixed only in the alpha version of Tor, and > AFAIK won't be fixed in stable: > > https://blog.torproject.org/blog/tor-0226-alpha-released
It is fixed in Tor's stable release already: http://archives.seul.org/tor/announce/Dec-2009/msg00000.html Changes in version 0.2.1.21 - 2009-12-21 o Major bugfixes: - Work around a security feature in OpenSSL 0.9.8l that prevents our handshake from working unless we explicitly tell OpenSSL that we are using SSL renegotiation safely. We are, of course, but OpenSSL 0.9.8l won't work unless we say we are. In "master" there's even a fix for the so far unreleased OpenSSL 0.9.8m already, see: https://git.torproject.org/checkout/tor/master/ChangeLog > I don't want to run alpha Tor, or use broken OpenSSL. What should I do > to make stable Tor run (I am not a coder, just a user - so I can't put > up and hack up :) )? In fact to upgrade the port is quite easy, I do that myself with the alpha version sometimes. Usually it's just replacing the version number in the port's Makefile and then "make makesum && make package", check if everything is ok and install the new package. More info here: http://www.openbsd.org/faq/ports/guide.html#PortsUpdate > Are there any plans to replace OpenSSL with something more secure? > > Thanks. Tas.
