| Sebastian | BarkerJr: please break barkerjrparis again so we can debug? |
|---|
| BarkerJr | k, breaking |
|---|
| Sebastian | BarkerJr: thanks! |
|---|
| Sebastian | BarkerJr: let me know when you're done |
|---|
| BarkerJr | Apr 12 21:41:38.100 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. |
|---|
| Sebastian | yay you broke it |
|---|
| Sebastian | thanks |
|---|
| BarkerJr | np :) |
|---|
| Sebastian | BarkerJr: can you unbreak it? |
|---|
| Sebastian | (is this a lot of work for you?) |
|---|
| Sebastian | (I want you to unbreak it so I can get the debug log for comparison with the working relay. Too bad I didn't save it last time) |
|---|
| BarkerJr | k |
|---|
| Sebastian | if it is a lot of work I'll try hard to recreate your setup and do the work |
|---|
| BarkerJr | nah, it's not bad |
|---|
| BarkerJr | yum downgrade httpd mod_ssl openssl openssl-devel; kill -TERM `pidof tor` |
|---|
| BarkerJr | then it restarts a minute later |
|---|
| Sebastian | nice |
|---|
| Sebastian | let me know when you're done |
|---|
| BarkerJr | all set |
|---|
| BarkerJr | I have a minutely cron job that starts tor if it's not running |
|---|
| Sebastian | BarkerJr: What Tor package is that? |
|---|
| Sebastian | Where does it come from? |
|---|
| nickm | My current theory is that there's some binary compatibility issue, and that if you were to build Tor from source to link against openssl-1.0.0 it would work fine, but for some reason Tors build with older openssls don't work when linked with openssl-1.0.0 |
|---|
| nickm | I could be wrong, but if I'm right, this will be easy to debug by "try and find out" methods, and hard to debug by looking at logs. |
|---|
| nickm | Because this is a very hard bug to figure out by tracing through the source (since it involves Tor thinking that it's using one version of the openssl data structures when it's really using another), I'd really like to rule it out if possible. |
|---|
| BarkerJr | I tried that a few days ago (and noted that in the bug), but I could try again if you want to see what you get in debug logs |
|---|
| BarkerJr | this is 0.2.2.10 source |
|---|
| BarkerJr | don't remember when I compiled it |
|---|
| Sebastian | what did you try? |
|---|
| BarkerJr | I downloaded and compiled tor-0.2.1.25.tar.gz on friday with ./configure --enable-openbsd-malloc --disable-asciidoc |
|---|
| BarkerJr | I can't imagine those configure options would cause it, though, cause the packages don't use them, right? |
|---|
| Sebastian | I think that might mean that you compiled against an earlier version of openssl |
|---|
| Sebastian | can you compile it against 1.0.0 and see what happens then? |
|---|
| BarkerJr | the new version was released 1.5 weeks ago |
|---|
| Sebastian | so you're saying you did compile against the latest version? |
|---|
| BarkerJr | yeah, 0.9.8e-12.el5_4.6 |
|---|
| Sebastian | ok. hm. now my head explodes. |
|---|
| BarkerJr | 0.9.8e-12.el5_4.1 is the one that works |
|---|
| Sebastian | do you know how to get a diff between them? |
|---|
| BarkerJr | hmm, not sure |
|---|
| nsa | or: [tor/master] 2010-04-12 22:12:49 Nick Mathewson <nickm@torproject.org>: Log bandwidth_weight_rule_t as a string, not an integer. |
|---|
| murb | ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openssl-0.9.8e-12.el5_4.6.src.rpm and ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openssl-0.9.8e-12.el5_4.1.src.rpm |
|---|
| murb | apparently |
|---|
| BarkerJr | thx |
|---|
| Action: murb tries to rember flags to rpmbuild |
| Sebastian | I guess that takes care of nickm's abi incompatibility |
|---|
| nsa | or: [tor/maint-0.2.1] 2010-04-12 22:10:56 Peter Palfrader <peter@palfrader.org>: testsuite: Prevent the main thread from starving the worker threads |
|---|
| nsa | or: [tor/maint-0.2.1] 2010-04-12 20:49:58 Peter Palfrader <peter@palfrader.org>: testsuite: Only free the main mutex when and if all the worker threads are done |
|---|
| Sebastian | I also wonder if something was backported from openssl 1.0.0. |
|---|
| murb | diffs of diffs are confusing. |
|---|
| data | nickm: haven't read everything, but I am using gentoo here |
|---|
|
|
| murb | http://www.yuri.org.uk/~murble/opensslrh.diff |
|---|
| data | after the update to 0.9.8m, it stopped working for me |
|---|
| nsa | or: [tor/master] 2010-04-12 22:22:06 Nick Mathewson <nickm@torproject.org>: Merge commit 'origin/maint-0.2.1' |
|---|
| nsa | or: [tor/master] 2010-04-12 20:49:58 Peter Palfrader <peter@palfrader.org>: testsuite: Only free the main mutex when and if all the worker threads are done |
|---|
| nsa | or: [tor/master] 2010-04-12 22:10:56 Peter Palfrader <peter@palfrader.org>: testsuite: Prevent the main thread from starving the worker threads |
|---|
| Sebastian | data: and when you recompile against that new openssl version, you get breakage too? |
|---|
| nickm | Sebastian: so when people recompile against openssl 1.0.0, they fail, but when you try a private network using openssl 1.0.0, it works? |
|---|
| nickm | odd |
|---|
| Sebastian | nah |
|---|
| Sebastian | I haven't tried openssl 1.0.0 myself |
|---|
| Sebastian | but reading what data and murb write, it might not be openssl 1.0.0 only |
|---|
| nickm | oh; I thought you had. |
|---|
| Sebastian | see their version numbers |
|---|
| nickm | sure, but one thing at a time |
|---|
| data | recompiling atm |
|---|
| Sebastian | I'm just now fetching 0.9.8n |
|---|
| Sebastian | trying that first, because that is what data uses |
|---|
| nickm | I wonder if they broke renegotiation again, harder. |
|---|
| data | i mistyped, btw. it's n that is not working |
|---|
| data | yeah, last time was a lot of fun with all my client certificates... |
|---|
| Sebastian | nickm: so they did implement rfc something |
|---|
| Sebastian | http://tools.ietf.org/html/rfc5746 |
|---|
| Sebastian | that one |
|---|
| Sebastian | first version they implemented it was m |
|---|
| data | is there a document where the negotiation used in tor is being described? |
|---|
| nickm | hm. I wonder if there's an option we need to twiddle to tell it, "it's okay if the other side doesn't do stuff the rfc5746 way!" |
|---|
| nickm | or if that's just the same option as before. |
|---|
| nickm | Hm.. SSL_OP_LEGACY_SERVER_CONNECT . I wonder if we need to mess with this. |
|---|
| Sebastian | maybe http://kbase.redhat.com/faq/docs/DOC-20491 helps? |
|---|
| Sebastian | section "Updates adding RFC 5746 support" |
|---|
| nickm | http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html might. but it doesn't seem to imply that we need to do anything. |
|---|
| nickm | i guess we might need to use the source |
|---|
| Action: nickm needs to take a break before trying to read openssl source again |
| Sebastian | ok |
|---|
| data | Sebastian: I just rebuild and restarted |
|---|
| data | Your Tor server's identity key fingerprint is 'CompSciR0x 6598FCA0B3ADF12DD6B11838812BDCC81C293852' |
|---|
| nickm | ooh, from the openssl 0.9.8m changelog: 'If client attempts to renegotiate and doesn't support RI respond with a no_renegotiation alert as required by RFC5746. Some renegotiating TLS clients will continue a connection gracefully when they receive the alert. Unfortunately OpenSSL mishandled this alert and would hang waiting for a server hello which it will never receive. Now we treat a received no_renegotiation alert as a fatal error. This is because applications requ |
|---|
| nickm | oops, bigger than I thought. |
|---|
| Sebastian | data: got an ip and port for me? |
|---|
| Sebastian | yeah |
|---|
| Sebastian | hah |
|---|
| Sebastian | that looks kind of relevant :) |
|---|
| data | Now checking whether ORPort 84.19.191.213:443 and DirPort 84.19.191.213:80 |
|---|
| nickm | Sebastian: conceivably. |
|---|
| data | btw. I jumped from l to n |
|---|
| data | so it might be changes in m or n |
|---|
| Sebastian | data: works for me now. |
|---|
| data | really? hmm |
|---|
| data | i did a link check with revdep-rebuild, but it found nothing |
|---|
| Sebastian | data: otoh, I did update my openssl to 0.9.8n now |
|---|
| Sebastian | BarkerJr: is your relay currently broken? |
|---|
| Sebastian | If not, please break it? |
|---|
| data | Sebastian: how are you testing? |
|---|
| Sebastian | trying to use your relay as a bridge |
|---|
| Sebastian | ah no, that's not it. I'm still using 0.0.8l |
|---|
| Sebastian | erm, 0.9.8l |
|---|
| BarkerJr | not broken |
|---|
| BarkerJr | didn't you tell me to file duplicate tickets today? :) |
|---|
| Sebastian | I meant "please file one bug with both issues" :) |
|---|
| Sebastian | I didn't word it so well. |
|---|
| BarkerJr | why would you want one bug for two issues? |
|---|
| BarkerJr | then you are forced to fix both at in the same version |
|---|
| BarkerJr | anyway, should be broken now: Apr 12 23:03:47.170 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. |
|---|
| Sebastian | thanks |
|---|
| Sebastian | it's still broken for me. good. |
|---|
| BarkerJr | :) |
|---|
| data | Sebastian: it really seems like I fixed it by recompiling |
|---|
| Sebastian | interesting. |
|---|
| Sebastian | thanks for testing. |
|---|
| Sebastian | This is just getting way over my head. ugh. |
|---|
| data | BarkerJr: did you try compiling it by hand? |
|---|
| Sebastian | he did that from the start :/ |
|---|
| Sebastian | haha |
|---|
| Sebastian | now that I try to use openssl 0.9.8n, Tor doesn't compile for me |
|---|
| Sebastian | nickm: i get this error: |
|---|
| Sebastian | In file included from torgzip.c:19: |
|---|
| Sebastian | /opt/local//include/zlib.h:1568:32: error: "_FILE_OFFSET_BITS" is not defined |
|---|
| Sebastian | I'm not sure why Tor would use zlib from macports. I only told it to use openssl |
|---|
| nsa | or: [debian-tor/debian-0.2.1] 2010-04-12 22:25:27 Peter Palfrader <peter@palfrader.org>: Minor bugfixes to make the testsuite work on our new Octeon machines |
|---|
| data | yeah, tor is definitely working again. already at 2k connections |
|---|
| Sebastian | and when Tor started it told you you were using the newest version? |
|---|
| Sebastian | erm, the new openssl version |
|---|
| data | where would it say such a thing? |
|---|
| Sebastian | when it starts |
|---|
| Sebastian | Apr 13 00:57:22.501 [notice] OpenSSL OpenSSL 0.9.8l 5 Nov 2009 looks like version 0.9.8l; I will try SSL3_FLAGS to enable renegotation. |
|---|
| Sebastian | something like this |
|---|
| data | not for me |
|---|
| data | this is in the log, right? |
|---|
| Sebastian | nah, this is too early to be in the logfile |
|---|
| Sebastian | it should be in your stdout |
|---|
| BarkerJr | I get it in the log |
|---|
| BarkerJr | Apr 12 23:03:44.536 [notice] Parsing GEOIP file. |
|---|
| BarkerJr | Apr 12 23:03:44.674 [notice] OpenSSL OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 [90802f] looks like it's older than 0.9.8l, but some vendors have backported 0.9.8l's renegotiation code to earlier versions. I'll set SSL3_FLAGS just to be safe. |
|---|
| Sebastian | hm. Then I lied. Bad Sebastian. |
|---|
| Sebastian | ah |
|---|
| Sebastian | my zlib issue seems to be an upstream problem with gcc warnings. |
|---|
| Sebastian | hah, now I get a libevent error |
|---|
| Sebastian | wow. This past month almost convinced me that whenever I touch any bugs in Tor, I screw up in a weird way. |
|---|
| Sebastian | wtf. |
|---|
| BarkerJr | can I refix my relay now? |
|---|
| Sebastian | BarkerJr: if you don't mind, keep it broken until tomorrow evening? |
|---|
| Sebastian | That'd be great. |
|---|
| BarkerJr | k |
|---|
| BarkerJr | think this impacts bridges, too? |
|---|
| BarkerJr | do you think it's working for some people? |
|---|
| BarkerJr | cause my server is still burning 5mbit each way |
|---|
| BarkerJr | that might mean that authorities don't like it, but others who still have my relay cached can use it fine |
|---|
| BarkerJr | possibly others who have upgraded openssl? |
|---|
| Tas | hm, problems with OpenSSL 1.0.0? my bridge works fine with it, as far as I can tell |
|---|
| Tas | running 9 days now, on FreeBSD |
|---|
| Tas | was running with OpenSSL 0.9.8n before, also no problems |
|---|
| Neeraj | arma: seen my answer for resisting censorship? |
|---|
| Neeraj | anything else required? |
|---|
| Neeraj | i am thinkin about writing implementation detail also |
|---|
| micah | weasel: do you provide a .deb that is compiled with --enable-openbsd-malloc? |
|---|
| enki | Has anyone had any success in torifying the Evolution mail client? |
|---|
| zhxk | hello, here again |
|---|
| nsa | or: pootle committed revision 22173 (/projects/gettor/i18n): updated files from pootle |
|---|
| nsa | or: pootle committed revision 22174 (/translation/trunk/projects/torbutton): updated files from pootle |
|---|
| nsa | or: pootle committed revision 22175 (/translation/trunk/projects/torcheck/ja): updated files from pootle |
|---|
| nsa | or: pootle committed revision 22176 (/translation/trunk/projects/website): updated files from pootle |
|---|
| nsa | or: runa committed revision 22177 (/website/trunk): updated translations for the website |
|---|
| weasel | micah: no, not anymore. |
|---|
| nsa | or: runa committed revision 22178 (/translation/trunk/projects/website): updated po files for pootle |
|---|
| jn0 | It looks like two versions of Tor Weather is running now. I got two mails about a relay. |
|---|
| jn0 | I like that one of them include the header List-Unsubscribe and sent the message in the body. The other mail sent the message as an attachment and does not have the header. |
|---|
| jn0 | But it did use TLS to send the mail which the first mailserver did not do, null.lostinthenoise.net. |
|---|
| nsa | or: runa committed revision 22179 (/website/trunk/en): added p-tag |
|---|
| nsa | or: runa committed revision 22180 (/website/trunk/fr): updated translation for the website |
|---|
| nsa | or: runa committed revision 22181 (/website/trunk/torbrowser/en): i is not li |
|---|
| nsa | or: runa committed revision 22182 (/translation/trunk/projects/website): updated files for pootle |
|---|
| Sebastian | BarkerJr: big thanks for letting your relay remain in broken state for now. I have a good idea what's going on, I think. |
|---|
| Sebastian | Please keep it like that for now as we run more tests |
|---|
| data | hey, now that i am back up running, i also have my old problem back: [warn] Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy. |
|---|
| data | But I have MaxAdvertisedBandwidth down to 1000KBytes already |
|---|
| data | this is with a core2duo@1.8Ghz and 2 Gigs of ram |
|---|
| Sebastian | can you limit it even more? |
|---|
| Sebastian | Just to see what happens. 1000KBytes is still a lot |
|---|
| SwissTorExit | data: have you tried ti use "NumCpus 2" ? |
|---|
| SwissTorExit | hi Sebastian :D |
|---|
| data | SwissTorExit: no, did not know that, will try. Thanks |
|---|
| SwissTorExit | you are welcome, maybe can help |
|---|
| Sebastian | If that helped, that'd be quite good to learn. unfortunately, Tor doesn't do multithreading well yet. But maybe you'll still have some luck. |
|---|
| data | yeah, i will try this first |
|---|
| data | i mean, i am not even an exit |
|---|
| SwissTorExit | Sebastian: how can you see if it run well or not with multi core ? |
|---|
| SwissTorExit | i.e i was always running with 4 cores and always look working well after 1 year |
|---|
| Sebastian | SwissTorExit: No, I think you misunderstood what I was trying to say |
|---|
| SwissTorExit | i see that it use almost no ressource on 4 cores , that's all |
|---|
Popular searches: 
