Bug 234483

Summary: Tor relay on FreeBSD 12.0-RELEASE gives OpenSSL errors with Base OpenSSL 1.1.1a
Product: Base System Reporter: Neel Chauhan <nc>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: jhb, jkim, nc, oitdmser
Priority: --- Keywords: needs-qa, regression
Version: 12.0-RELEASEFlags: koobs: mfc-stable12?
Hardware: Any   
OS: Any   
See Also: https://github.com/openssl/openssl/pull/7755
Bug Depends on:    
Bug Blocks: 231931    

Description Neel Chauhan freebsd_committer freebsd_triage 2018-12-29 03:00:15 UTC 
When I run a Tor relay on FreeBSD 12.0-RELEASE with Base OpenSSL (1.1.1a), I get errors like:

Dec 28 21:34:13.000 [warn] Unhandled OpenSSL errors found at src/common/buffers_tls.c:155: 
Dec 28 21:34:13.000 [warn] TLS error: internal error (in SSL routines:tls13_hkdf_expand:---)

This is an OpenSSL error, as described in Tor's bug tracker of the same error on Debian Buster: https://trac.torproject.org/projects/tor/ticket/28616

A GitHub pull request with a fix is here: https://github.com/openssl/openssl/pull/7755

This fix has been committed to OpenSSL.

The full Tor execution log is:

neel@xb3:~ % tor -f /tmp/torrc
Dec 28 21:34:00.959 [notice] Tor 0.3.4.9 (git-4ac3ccf2863b86e7) running on FreeBSD with Libevent 2.1.8-stable, OpenSSL 1.1.1a-freebsd, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.7.
Dec 28 21:34:00.960 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 28 21:34:00.960 [notice] Read configuration file "/tmp/torrc".
Dec 28 21:34:00.963 [notice] Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or something else goes wrong.
Dec 28 21:34:00.963 [notice] Based on detected system memory, MaxMemInQueues is set to 5582 MB. You can override this by setting MaxMemInQueues by hand.
Dec 28 21:34:00.964 [notice] Scheduler type KISTLite has been enabled.
Dec 28 21:34:00.964 [notice] Opening OR listener on 0.0.0.0:12345
Dec 28 21:34:00.000 [notice] Parsing GEOIP IPv4 file /usr/local/share/tor/geoip.
Dec 28 21:34:01.000 [notice] Parsing GEOIP IPv6 file /usr/local/share/tor/geoip6.
Dec 28 21:34:01.000 [notice] Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Dec 28 21:34:01.000 [notice] You are running a new relay. Thanks for helping the Tor network! If you wish to know what will happen in the upcoming weeks regarding its usage, have a look at https://blog.torproject.org/blog/lifecycle-of-a-new-relay
Dec 28 21:34:01.000 [notice] It looks like I need to generate and sign a new medium-term signing key, because I don't have one. To do that, I need to load (or create) the permanent master identity key. If the master identity key was not moved or encrypted with a passphrase, this will be done automatically and no further action is required. Otherwise, provide the necessary data using 'tor --keygen' to do it manually.
Dec 28 21:34:01.000 [notice] Your Tor server's identity key fingerprint is 'FU 826502AA721AC21F0E54104490DB3D97932C6D05'
Dec 28 21:34:01.000 [notice] Bootstrapped 0%: Starting
Dec 28 21:34:01.000 [notice] Starting with guard context "default"
Dec 28 21:34:02.000 [notice] Guessed our IP address as 103.60.128.113 (source: 204.13.164.118).
Dec 28 21:34:04.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Dec 28 21:34:05.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Dec 28 21:34:06.000 [notice] The current consensus has no exit nodes. Tor can only build internal paths, such as paths to onion services.
Dec 28 21:34:06.000 [notice] Bootstrapped 45%: Asking for relay descriptors for internal paths
Dec 28 21:34:06.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/6304, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 100% of end bw (no exits in consensus) = 0% of path bw.)
Dec 28 21:34:09.000 [warn] Received http status code 414 ("Request-URI Too Large") from server '178.62.197.82:80' while fetching "/tor/server/d/6BA61E560AA0735A1F4BD3C95E971F9CE7DCE144+6BABC0C026A98AB5BFE784A15801F1B946668E41+6BB0D1D17BA554F0A20B9590A94D6D8C39AB5C84+6BB2E76B5348A9A37B74F7846C9D30977275E441+6BB4C962BF1BA9E2A505CE9F28A99F528D2D14DD+6BC8F61B06E45F678A150B3DB8436D6F847E2E23+6BCD375642BDDD664BC1DBD9DB54D2051420922D+6BD76E196205882E4620784AFAF150D7E9A907F6+6BE53CFC03F4D32CE3237CDDA6E29FC9FB9895B6+6BF8059B7DA3FE596C093F1FAF38D8461E078893+6C0EE8EBBFF6CD7D84B676B8DDA1446AAC93712B+6C0F87282C66DD30FDB99509DB38304D69988348+6C1CFE9F68F6778BC105737B3EF7A25D31F5AF4A+6C21B2D2DA835AA3ADD67B6542E7A5ED5C8885B9+6C249E61254EFD932DC499EFEDB5B0769CAE5D2B+6C27A1B3664B1A90A8A1353B03FB278DB884C07C+6C2F1A173B2B9CDBE43083B0DF23EB017F601447+6C38295E21263A32F675B2A8AB830C2ADA30E0C4+6C3D5949A41ED1B56D93B159CBAD7B9BE991005F+6C40A586AC9ACC83480494B53BB308CA4CE7EBC8+6C4A304C8CC2667D2E22FEC9FBD679A3F7CBF23C+6C4A4A52ECCAA10D15092BBC20D2A3D0574A3EE4+6C4E269053A63D9BDF6E7D8A5ECEA22A7A21A580+6C598B5C1EB3D83E972BFFC2B7C8C33CBA2871AA+6C5A736A9E3D33B68D8B6C84779B0EF87743D758+6C641C0CB458D4073032F65E4C2E8C96DA1F446C+6C73EB9BBEB0AE02FED374B3E00D2818380BA5BF+6C792A41D02154C2A4F7D4B9261030A7700A366D+6C7EA551EB3CE2BB3E15F9BEDA9FF8D519BCF27F+6C83F23B397EAB37D8FEA86379A7577142D3EFB3+6C85720AF0A54A2D9B49C93711CE4132A27EF5A6+6C86B6C9F657BDC2AFFC1E2C55F9789A853036C5+6C97E7917B6ECF576A975A01AAF66BFE7AF498DD+6C9937743CD50CCC3846D1B3D67CA8867CE6EBD4+6CB91AFCCA20BDC14D291A839685B09F520C91E2+6CB9573D1A0BAF2B19A7C9BA0FA57C01693A2EB6+6CBA4C44038A5E267D7769140F7F32F85C694445+6CCACA542DBE3173C86856D36CA8057E69CC33F4+6CCBC5A623551FFD6203BD90DE763B7BFD945021+6CD1E5ECC008985BF35BDAA00519A99C93673966+6CD30F84AC39A6402FDBF724B4E7FCDFBE372870+6CDE25228815AFAC8DA00BBCCCC60A704367BD62+6CDF2A69D7885B7FB0100049996D853CC4FE7A54+6CE1C6BA07C1808E679A0D3681FEC0D4A6AC8092+6D01575370CEC6C72C49D4A5AB0DFC3C6629FCFB+6D06821CBA1DFE39189CD23BA0438D76953F44D5+6D19178EEDDB8479C1E90DDC8F4B3C88A8B3C8BE+6D1E03DA2148BD231E0615BEA0320F936CEDABA1+6D1F07C0E04F118550195EBA5A5B6D128604377C+6D2505D71CE9DCCEC1AD604DAEC4579A9F553E90+6D2651D3C3826294ACF6D7D537C6C532FC053584+6D3C2DDBB3EBFF4A89E23696E729C81C75820F7C+6D4D7DBFABE3DE2CE69AB3E0C84E9AEED8801DA7+6D582F3436B346350BDD46A5A11891917EC4426D+6D6D26B86C690FD8134DBC4142A446DD8E02BFE1+6D7ED32B00B84558F2720AA70FA5DE4FC9305085+6D853941FC535CBB0956D0239213280E4C26245E+6D910B5C0E3357F4DECA50C38A9A47B2C883E103+6D9F0719859053BFC6A930ADDE82A20F818355C8+6DA1E4695AA0E3A0BF2CAA24266A009A15452DF9+6DA2AADC0B7A11B41733B03A683511BBAEDBA46D+6DA771CB739D6802325751DBD7E40C2B9B44F31D+6DAA9FE04800845B0D960BF0E1798DFB2605C658+6DAC14FBBFD1E584EE280610B0F8D9626449AF4F+6DAF18DAE204455941FA748CD8548E63EDB3503F+6DC1D9AE9FC403F35FDFE00759BD66E5D1049CD7+6DD07B2D3B3C06A29CF69BE4A71BDF86F5023854+6DD7C1A6D726ED6B98AB940D40BB1ABA61AA8773+6DD916B324256E3CA4B7D50E21A0994DB8CA28E1+6DE2BC24AF8C907F1435136894C5A2EABBCC86A0+6E063D7BDB7F3AC7524029B9C4F5882B7B30EAC1+6E1075B6572DB25E69992B5CB65D91BC732D3666+6E10AFC73CC97C47A31A0F5E5ADA6B62297DA45F+6E1114E01EB05D149D5A41B75BE1E666A5D81BF2+6E2C4E9E5946722F846917367500989F60827635+6E355CB6E35F917785DBB83FC3088D004AAF33DA+6E3CBB023867A0152CDB9555217C613B51EB6580+6E4E95F64203CE76E3FD2611C4D178CC7C995D27+6E736C50A1D5A2F31A8488EA1B5D60E191565E2D+6E737E6FB161B76241DD1A9E4D8131B7DDB18064+6E820C77795AAAA98FEA53E68F286CF2231AD522+6E98E191C7AE23F6C9A6B560390D489B3908D687+6EBF7859B66AA81F3CE613D89D6A4F305F34DC0B+6EC884F48706EAE59B9F8039DC0090F7315EED28+6ECF2C557213DDC854C0E6DA65C6714178A2665A+6ED2B5F47AE7C7D06E70C53A45687FA71FEBF4B1+6ED73979E12D72BF410147B9301B7AC7ED51DB83+6ED8830BDF8854028B3AA7C41A3289AEBBAC1EE5+6EDF9F1363AAC35FB453712583937D2545FB02E3+6EE119C13B9B3FF746AE49442E4D86C60A79E3A2+6EE8DD17A38DD08F14490EED3ACDFF5EF544C5FA+6EEA62C69077D535B25FE7054E50F6C2B100F6EF+6EF280D7DA24B69712156AA3B93CD8A777DFB0F2+6EF5E021C907705A798BC80E3ABD1C7A0D6DDE12+6EFDAE0D1482779806F61690B192708CB72B75CF+6F010960B1FDC6A6DA0C69EC9FA1A29F6D009ACE.z". I'll try again soon.
Dec 28 21:34:10.000 [notice] The current consensus contains exit nodes. Tor can build exit and internal paths.
Dec 28 21:34:10.000 [notice] Bootstrapped 50%: Loading relay descriptors
Dec 28 21:34:13.000 [warn] Unhandled OpenSSL errors found at src/common/buffers_tls.c:155: 
Dec 28 21:34:13.000 [warn] TLS error: internal error (in SSL routines:tls13_hkdf_expand:---)
Dec 28 21:34:14.000 [warn] Received http status code 502 ("Bad Gateway") from server '91.219.237.229:80' while fetching "/tor/server/d/FBF21FF9897F474297A746122A983E5BE4FE3807+FBFD95D0C5602846E2B029FCA1AD9EF32EC15933+FBFFF51CCEC022453BDC2EAB63797AD66168102B+FC2FD14EDFA19B90A42388A9CD83BBE9E46F5C4D+FC40639DCA5D0869D937C9F9DE36172BCC6C61C8+FC47ABD004E3ABBFAF1C831AF227CA67D9D53809+FC563EDF7A9DE0309DE7ACA53BFA8C6CAFB8FCA7+FC6A7F68B91E1A0BFDE6D7F1F137D6AFA7E362B4+FC6B51D3722A64F5224BE97E0DD7A7CF854EACEC+FC6BD554E8AA2D5E9E52E632A9B11D314B042F76+FC7612BA423D7DE0620647A90461B0726F46C54E+FC7BC79A13B264E12C06D68DF1C8E1BE424918DA+FC93A69831E407D44EA3786EA223E99031C5A725+FC9E2985F8F478ED0DDA74E90268FCA79384B50B+FCA41BEA99BEC4F134740F8FF55DC9F9A6E4B071+FCAEBA0E828A0B00A3E71EF486422DB6BF66B46D+FCB0008EEAEF4701510A93374BF9352ADB74F58E+FCB3A1AE6E93AA48FA7E10555027BF8CE806E8A9+FCB4E1FF5F2F64813206CB69C849F084ABB1D8F8+FCB61C968F25056E7F33A24781C74AB8226B5475+FCB8CB03630C3EC476A3F9FE3B058C0579159B08+FCC0335C94BF02A0954E10D30728459AF87C7FCF+FCC77C7A8E1A0EAD7C56B7E09C353CDF7FA7C8BB+FCC908AC69730D5141B394DA0EFC1AC456A84628+FCCC3460380BF5818E272B598029F26E82D26826+FCD9725C55FEBB8CCAEB978215C9CBBE8AB2E510+FCE1193DF6ACBDE74FF1D8A6337141939AC05CD1+FCE8517CB110D928D8204C893E29C538D169B41F+FCED665B79EA5A1B730B994302980BB20598BBB9+FD0295FFFE94FCC2DBEE25447A9E493B62397327+FD1A61A3FB3FC1C47C72DE6CA36A5A46950F4136+FD20E1591EA023EF89371E624ABC35E26045FFF5+FD23197A0C539D1CFA56598C84B81D40F1B5B1AC+FD2CA408DCF637C18284858CFB42EE77ED463569+FD32D2DFB824B0D5B32A5936DC7C18A9560848B0+FD85DE1ECF1AE55D8B0D196468FF8B34E707A3ED+FD89C73CC3C6823050DABAAE4D23026E725C2D9B+FD989CFC7D2C25CDCA248E52F01F59FA24558DC6+FDA49681DD606E43F12A6881BBC95CB2629DF691+FDAAD4D02358F67A7694CB9912608A6B4CBFB1CE+FDACE198B28F61772C2398F1347F58E7F2F6717B+FDAF59BD3F812EE4F62940EBDB03E8F2697135F6+FDE2887BE85E4DC874CE4255FD1EA35A4F1A9E8A+FDEA865DBA2D5B1CB684B8383282544A4C1080C5+FDF013495487AD3180CA5F35CE5EEA5AD1CF358E+FDFBDEABA5B75E678AED82354435CA48951B6D95+FE0AF05467957FD9F93378E8215218705AFE058B+FE192A0D2FAB6CE92115F456E634DA44812FCA7E+FE1BEFD2BB86E512B4787A2E1BC56333AC877316+FE264E779B92592B35FAD8910D4072815EB895A0+FE2E6199696AED4851DE3D21DFCDF6B0D1D29CC7+FE51135C218ED4CF00CDD2182D46B7E11DE030A3+FE557E0A047843027088450D31D07A9B7DC57718+FE5E4A424D51FCA3976CA8BAC51DE99E4B7DC33F+FE75A220DD30F2E5C7413D8D3170BA0A6F47CAB3+FE7EAA8998DCDD0A5F5FF19673C0561BC11F3F5E+FE83BA9A8CDB5076C8127FE216C0682474D7F0C5+FE8A407C3A9A628E40BF30C223187325C60D6AED+FEA32741E3E91C52904323DED19B8FBB54604F04+FEA5FDCF21F0643EEDE989A1ADDB7E108093C7EE+FEAE6B4BF73AD6E8D9918FAD64554FE6D31FF349+FED85AB37322A6061F17C0522D61DB4A590F71CC+FEE62E20AED0712F7E0D5C1C549C0B004DC08C99+FEFD9E2BA82382CB6350B0CD6B32385D64917DD9+FF0BC4FB558CF8AF3D9F12B12822AB21C381FC5E+FF13770F9AB1FD078E2E72A841C7CCF5B5AB70B2+FF1BC37B42EC7DBA0AD5FDC4869C72ABD01E90A9+FF2F0788AA5BF98E7020F2211AE21BD769895CEC+FF39BF5564D1E4496FB8124407F0276F76C21720+FF420207BF9B1EF41AB99FC1455DD6662A1A9D2F+FF5565D70661C973A8003449D1739523723373B9+FF58875F8A3738D80EBDD76CF24DC96BA5EF655A+FF657A99C674DE4A1B14E2FB85B36348C49F0737+FF751CC45CA98EAF8A1FA65AC8C992598BDA0259+FF7A9D3356B0722F6F232FF2CF961A5B4BA57B9E+FF7C46AF64EAA7D35BCC25CC5775FB5FBC522785+FF7F1E7AEB02F6EF9C98F97E118C837C29EE3738+FF7F2A374A5AA42BAC302A36AA888782C7DF547E+FF88E5E33E6168DCE872541DC3CBB605010C1F08+FF8E391B2D3FE964C1F5DABD89D0063EC5BBC1C7+FF9CF8E72E09F5CB503BEFF368367F5081A97F06+FFA0289428477B55B3AA9C2266406CEFE80C47D3+FFC01983508CF9722A3DFF9A8EEBC136F97BBCF8+FFD110A122B68041EBE5D57FDA44A3CE060CA4A5+FFE832B65EB739F0A5D7CB7BD034CC343DE1E7A1.z". I'll try again soon.
^Crm^C^C
Dec 28 21:34:23.000 [notice] Interrupt: we have stopped accepting new connections, and will shut down in 30 seconds. Interrupt again to exit now.
Dec 28 21:34:23.000 [notice] Delaying directory fetches: We are hibernating or shutting down.

Dec 28 21:34:25.000 [notice] SIGINT received a second time; exiting now.
neel@xb3:~ %
Comment 1 John Baldwin freebsd_committer freebsd_triage 2019-07-01 21:56:58 UTC 
This fix was included in OpenSSL 1.1.1b which has been merged to stable/12.  I don't think it will end up getting merged to 12.0-RELEASE, but security/openssl11 has been updated to 1.1.1c, so I believe this can be closed.
Comment 2 Neel Chauhan freebsd_committer freebsd_triage 2019-07-01 22:03:53 UTC 
Thanks!

Also, the Tor developers have implemented a workaround for this bug in OpenSSL 1.1.1a, but good to know it got fixed in FreeBSD.