Bug 1129411

Summary: tor gives a warning about OpenSSL version mismatch
Product: [openSUSE] openSUSE Distribution Reporter: Deleted Name <deleted>
Component: NetworkAssignee: Bernhard Wiedemann <bwiedemann>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Minor    
Priority: P5 - None CC: Andreas.Stieger, vcizek
Version: Leap 15.0   
Target Milestone: ---   
Hardware: x86-64   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Deleted Name 2019-03-15 12:44:19 UTC 
STR:

1. Install package tor-0.3.4.8-lp150.2.3.1.x86_64
2. torctl start
3. torclt log

Result:

The log shows a warning abut OpenSSL version mismatch. Excerpt:

[...]
Mar 15 14:38:30.000 [notice] Tor 0.3.4.8 (git-da95b91355248ad8) opening log file.
Mar 15 14:38:30.925 [warn] OpenSSL version from headers does not match the version we're running with. If you get weird crashes, that might be why. (Compiled with 1010008f: OpenSSL 1.1.0h  27 Mar 2018; running with 1010009f: OpenSSL 1.1.0i-fips  14 Aug 2018).
Mar 15 14:38:30.938 [notice] Tor 0.3.4.8 (git-da95b91355248ad8) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.0i-fips, Zlib 1.2.11, Liblzma 5.2.3, and Libzstd 1.3.4.
[...]
Comment 1 Deleted Name 2019-03-15 12:45:38 UTC 
* Step 3 has a typo. Should be 'torctl' not 'tortlc'
Comment 2 Vítězslav Čížek 2019-04-15 11:37:08 UTC 
You have installed a different openssl library than the tor package was compiled with.
In this case it's a harmless warning.

OpenSSL guarantees binary compatibility over letter and the third digit numbers.
Eg. 1.1.0i and 1.1.1a are binary compatible.

You can check the ABI changes between the openssl versions here:
https://abi-laboratory.pro/?view=timeline&l=openssl

Starting with the next major release of OpenSSL, there will be a change
in the versioning:
https://www.openssl.org/policies/releasestrat.html
But that's something for the future.

To sum it up, the version check in Tor is just too strict.
It expects the very same version (the same openssl version number and
the version text) for runtime as it was compiled with.
I find that unnecessary and the test could certainly be relaxed.

I know Tor takes the security of its users seriously, but IMHO here it's
just being overly rigorous.
Comment 3 Andreas Stieger 2019-04-15 11:49:20 UTC 
expected minor and informational warning
Comment 4 Bernhard Wiedemann 2019-04-15 13:10:41 UTC 
Trying to upstream a relaxed version check:
https://github.com/torproject/tor/pull/951