$NetBSD: patch-aa,v 1.8 2012/11/26 19:00:20 drochner Exp $ From: Taylor R Campbell Subject: patch for Tor to workaround OpenSSL renegotiation lossage on 5.1 Cc: athaba (pkgsrc/net/tor maintainer) Date: Fri, 30 Jul 2010 01:31:50 +0000 Here's a patch to make Tor work on NetBSD 5.1, which implemented OpenSSL 0.9.8l's ABI-incompatible SSL3_FLAGS method for reenabling TLS renegotiation. Tor already jumps through a number of hoops to guess the right way to reenable renegotiation in OpenSSL, but it guesses wrong for the version of OpenSSL that comes with NetBSD 5.1, which, being 0.9.9-dev, looks newer than 0.9.8m. I'm posting this here rather than on a Tor list because I don't think it should be Tor's responsibility to work around back-ports and forward-ports of broken OpenSSL features. What I'd really rather see is OpenSSL 0.9.8m's ABI-compatible SSL_OP method for reenabling TLS[*] put into NetBSD 5.1 (and SSL_OP_ALLOW_UNSAFE_RENEGOTIATION defined in ssl.h) so that this patch would be unnecessary. [2. text/plain; nbsd51-reneg] --- src/common/tortls.c.orig 2012-11-19 21:24:54.000000000 +0000 +++ src/common/tortls.c @@ -477,6 +477,17 @@ tor_tls_init(void) * program should be allowed to use renegotiation unless it first passed * a test of intelligence and determination. */ +#ifdef __NetBSD__ + /* In NetBSD 5.1, OpenSSL 0.9.9-dev was imported and `fixed' to use + the same scheme as 0.9.8l. */ + if (version == OPENSSL_V_NOPATCH(0,9,9)) { + log_notice(LD_GENERAL, "OpenSSL %s on NetBSD looks like version 0.9.8l; " + "I will try SSL3_FLAGS and SSL_OP to enable renegotation.", + SSLeay_version(SSLEAY_VERSION)); + use_unsafe_renegotiation_flag = 1; + use_unsafe_renegotiation_op = 1; + } else +#endif if (version > OPENSSL_V(0,9,8,'k') && version <= OPENSSL_V(0,9,8,'l')) { log_notice(LD_GENERAL, "OpenSSL %s looks like version 0.9.8l, but " "some vendors have backported renegotiation code from "