free blog   apache   shopping directory   php powered
SebastianBarkerJr: please break barkerjrparis again so we can debug?
BarkerJrk, breaking
SebastianBarkerJr: thanks!
SebastianBarkerJr: let me know when you're done
BarkerJrApr 12 21:41:38.100 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Sebastianyay you broke it
BarkerJrnp :)
SebastianBarkerJr: can you unbreak it?
Sebastian(is this a lot of work for you?)
Sebastian(I want you to unbreak it so I can get the debug log for comparison with the working relay. Too bad I didn't save it last time)
Sebastianif it is a lot of work I'll try hard to recreate your setup and do the work
BarkerJrnah, it's not bad
BarkerJryum downgrade httpd mod_ssl openssl openssl-devel; kill -TERM `pidof tor`
BarkerJrthen it restarts a minute later
Sebastianlet me know when you're done
BarkerJrall set
BarkerJrI have a minutely cron job that starts tor if it's not running
SebastianBarkerJr: What Tor package is that?
SebastianWhere does it come from?
nickmMy current theory is that there's some binary compatibility issue, and that if you were to build Tor from source to link against openssl-1.0.0 it would work fine, but for some reason Tors build with older openssls don't work when linked with openssl-1.0.0
nickmI could be wrong, but if I'm right, this will be easy to debug by "try and find out" methods, and hard to debug by looking at logs.
nickmBecause this is a very hard bug to figure out by tracing through the source (since it involves Tor thinking that it's using one version of the openssl data structures when it's really using another), I'd really like to rule it out if possible.
BarkerJrI tried that a few days ago (and noted that in the bug), but I could try again if you want to see what you get in debug logs
BarkerJrthis is source
BarkerJrdon't remember when I compiled it
Sebastianwhat did you try?
BarkerJrI downloaded and compiled tor- on friday with ./configure --enable-openbsd-malloc --disable-asciidoc
BarkerJrI can't imagine those configure options would cause it, though, cause the packages don't use them, right?
SebastianI think that might mean that you compiled against an earlier version of openssl
Sebastiancan you compile it against 1.0.0 and see what happens then?
BarkerJrthe new version was released 1.5 weeks ago
Sebastianso you're saying you did compile against the latest version?
BarkerJryeah, 0.9.8e-12.el5_4.6
Sebastianok. hm. now my head explodes.
BarkerJr0.9.8e-12.el5_4.1     is the one that works
Sebastiando you know how to get a diff between them?
BarkerJrhmm, not sure
nsaor: [tor/master] 2010-04-12 22:12:49 Nick Mathewson <>: Log bandwidth_weight_rule_t as a string, not an integer.
murb and
Action: murb tries to rember flags to rpmbuild
SebastianI guess that takes care of nickm's abi incompatibility
nsaor: [tor/maint-0.2.1] 2010-04-12 22:10:56 Peter Palfrader <>: testsuite: Prevent the main thread from starving the worker threads
nsaor: [tor/maint-0.2.1] 2010-04-12 20:49:58 Peter Palfrader <>: testsuite: Only free the main mutex when and if all the worker threads are done
SebastianI also wonder if something was backported from openssl 1.0.0.
murbdiffs of diffs are confusing.
datanickm: haven't read everything, but I am using gentoo here
dataafter the update to 0.9.8m, it stopped working for me
nsaor: [tor/master] 2010-04-12 22:22:06 Nick Mathewson <>: Merge commit 'origin/maint-0.2.1'
nsaor: [tor/master] 2010-04-12 20:49:58 Peter Palfrader <>: testsuite: Only free the main mutex when and if all the worker threads are done
nsaor: [tor/master] 2010-04-12 22:10:56 Peter Palfrader <>: testsuite: Prevent the main thread from starving the worker threads
Sebastiandata: and when you recompile against that new openssl version, you get breakage too?
nickmSebastian: so when people recompile against openssl 1.0.0, they fail, but when you try a private network using openssl 1.0.0, it works?
SebastianI haven't tried openssl 1.0.0 myself
Sebastianbut reading what data and murb write, it might not be openssl 1.0.0 only
nickmoh; I thought you had.
Sebastiansee their version numbers
nickmsure, but one thing at a time
datarecompiling atm
SebastianI'm just now fetching 0.9.8n
Sebastiantrying that first, because that is what data uses
nickmI wonder if they broke renegotiation again, harder.
datai mistyped, btw. it's n that is not working
datayeah, last time was a lot of fun with all my client certificates...
Sebastiannickm: so they did implement rfc something
Sebastianthat one
Sebastianfirst version they implemented it was m
datais there a document where the negotiation used in tor is being described?
nickmhm.  I wonder if there's an option we need to twiddle to tell it, "it's okay if the other side doesn't do stuff the rfc5746 way!"
nickmor if that's just the same option as before.
nickmHm.. SSL_OP_LEGACY_SERVER_CONNECT .  I wonder if we need to mess with this.
Sebastianmaybe helps?
Sebastiansection "Updates adding RFC 5746 support"
nickm might.  but it doesn't seem to imply that we need to do anything.
nickmi guess we might need to use the source
Action: nickm needs to take a break before trying to read openssl source again
dataSebastian: I just rebuild and restarted
dataYour Tor server's identity key fingerprint is 'CompSciR0x 6598FCA0B3ADF12DD6B11838812BDCC81C293852'
nickmooh, from the openssl 0.9.8m changelog: 'If client attempts to renegotiate and doesn't support RI respond with a no_renegotiation alert as required by RFC5746. Some renegotiating TLS clients will continue a connection gracefully when they receive the alert. Unfortunately OpenSSL mishandled this alert and would hang waiting for a server hello which it will never receive. Now we treat a received no_renegotiation alert as a fatal error. This is because applications requ
nickmoops, bigger than I thought.
Sebastiandata: got an ip and port for me?
Sebastianthat looks kind of relevant :)
data Now checking whether ORPort and DirPort
nickmSebastian: conceivably.
databtw. I jumped from l to n
dataso it might be changes in m or n
Sebastiandata: works for me now.
datareally? hmm
datai did a link check with revdep-rebuild, but it found nothing
Sebastiandata: otoh, I did update my openssl to 0.9.8n now
SebastianBarkerJr: is your relay currently broken?
SebastianIf not, please break it?
dataSebastian: how are you testing?
Sebastiantrying to use your relay as a bridge
Sebastianah no, that's not it. I'm still using 0.0.8l
Sebastianerm, 0.9.8l
BarkerJrnot broken
BarkerJrdidn't you tell me to file duplicate tickets today? :)
SebastianI meant "please file one bug with both issues" :)
SebastianI didn't word it so well.
BarkerJrwhy would you want one bug for two issues?
BarkerJrthen you are forced to fix both at in the same version
BarkerJranyway, should be broken now: Apr 12 23:03:47.170 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Sebastianit's still broken for me. good.
dataSebastian: it really seems like I fixed it by recompiling
Sebastianthanks for testing.
SebastianThis is just getting way over my head. ugh.
dataBarkerJr: did you try compiling it by hand?
Sebastianhe did that from the start :/
Sebastiannow that I try to use openssl 0.9.8n, Tor doesn't compile for me
Sebastiannickm: i get this error:
SebastianIn file included from torgzip.c:19:
Sebastian/opt/local//include/zlib.h:1568:32: error: "_FILE_OFFSET_BITS" is not defined
SebastianI'm not sure why Tor would use zlib from macports. I only told it to use openssl
nsaor: [debian-tor/debian-0.2.1] 2010-04-12 22:25:27 Peter Palfrader <>: Minor bugfixes to make the testsuite work on our new Octeon machines
datayeah, tor is definitely working again. already at 2k connections
Sebastianand when Tor started it told you you were using the newest version?
Sebastianerm, the new openssl version
datawhere would it say such a thing?
Sebastianwhen it starts
SebastianApr 13 00:57:22.501 [notice] OpenSSL OpenSSL 0.9.8l 5 Nov 2009 looks like version 0.9.8l; I will try SSL3_FLAGS to enable renegotation.
Sebastiansomething like this
datanot for me
datathis is in the log, right?
Sebastiannah, this is too early to be in the logfile
Sebastianit should be in your stdout
BarkerJrI get it in the log
BarkerJrApr 12 23:03:44.536 [notice] Parsing GEOIP file.
BarkerJrApr 12 23:03:44.674 [notice] OpenSSL OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 [90802f] looks like it's older than 0.9.8l, but some vendors have backported 0.9.8l's renegotiation code to earlier versions.  I'll set SSL3_FLAGS just to be safe.
Sebastianhm. Then I lied. Bad Sebastian.
Sebastianmy zlib issue seems to be an upstream problem with gcc warnings.
Sebastianhah, now I get a libevent error
Sebastianwow. This past month almost convinced me that whenever I touch any bugs in Tor, I screw up in a weird way.
BarkerJrcan I refix my relay now?
SebastianBarkerJr: if you don't mind, keep it broken until tomorrow evening?
SebastianThat'd be great.
BarkerJrthink this impacts bridges, too?
BarkerJrdo you think it's working for some people?
BarkerJrcause my server is still burning 5mbit each way
BarkerJrthat might mean that authorities don't like it, but others who still have my relay cached can use it fine
BarkerJrpossibly others who have upgraded openssl?
Tashm, problems with OpenSSL 1.0.0? my bridge works fine with it, as far as I can tell
Tasrunning 9 days now, on FreeBSD
Taswas running with OpenSSL 0.9.8n before, also no problems
Neerajarma: seen my answer for resisting censorship?
Neerajanything else required?
Neeraji am thinkin about writing implementation detail also
micahweasel: do you provide a .deb that is compiled with --enable-openbsd-malloc?
enkiHas anyone had any success in torifying the Evolution mail client?
zhxkhello, here again
nsaor: pootle committed revision 22173 (/projects/gettor/i18n): updated files from pootle
nsaor: pootle committed revision 22174 (/translation/trunk/projects/torbutton): updated files from pootle
nsaor: pootle committed revision 22175 (/translation/trunk/projects/torcheck/ja): updated files from pootle
nsaor: pootle committed revision 22176 (/translation/trunk/projects/website): updated files from pootle
nsaor: runa committed revision 22177 (/website/trunk): updated translations for the website
weaselmicah: no, not anymore.
nsaor: runa committed revision 22178 (/translation/trunk/projects/website): updated po files for pootle
jn0It looks like two versions of Tor Weather is running now. I got two mails about a relay.
jn0I like that one of them include the header List-Unsubscribe and sent the message in the body. The other mail sent the message as an attachment and does not have the header.
jn0But it did use TLS to send the mail which the first mailserver did not do,
nsaor: runa committed revision 22179 (/website/trunk/en): added p-tag
nsaor: runa committed revision 22180 (/website/trunk/fr): updated translation for the website
nsaor: runa committed revision 22181 (/website/trunk/torbrowser/en): i is not li
nsaor: runa committed revision 22182 (/translation/trunk/projects/website): updated files for pootle
SebastianBarkerJr: big thanks for letting your relay remain in broken state for now. I have a good idea what's going on, I think.
SebastianPlease keep it like that for now as we run more tests
datahey, now that i am back up running, i also have my old problem back:  [warn] Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy.
dataBut I have MaxAdvertisedBandwidth down to 1000KBytes already
datathis is with a core2duo@1.8Ghz and 2 Gigs of ram
Sebastiancan you limit it even more?
SebastianJust to see what happens. 1000KBytes is still a lot
SwissTorExitdata:  have you tried ti use "NumCpus 2" ?
SwissTorExithi Sebastian :D
dataSwissTorExit: no, did not know that, will try. Thanks
SwissTorExityou are welcome, maybe can help
SebastianIf that helped, that'd be quite good to learn. unfortunately, Tor doesn't do multithreading well yet. But maybe you'll still have some luck.
datayeah, i will try this first
datai mean, i am not even an exit
SwissTorExitSebastian:  how can you see if it run well or not with multi core ?
SwissTorExiti.e i was always running with 4 cores and always look working well after 1 year
SebastianSwissTorExit: No, I think you misunderstood what I was trying to say
SwissTorExiti see that it use almost no ressource on 4 cores , that's all
Popular searches: apparmor thunderbird   awesome3 xcompmgr slow   

Generated by 2.1mg by Jeff Waugh - return