Bugzilla – Full Text Bug Listing
|Summary:||tor gives a warning about OpenSSL version mismatch|
|Product:||[openSUSE] openSUSE Distribution||Reporter:||Deleted Name <deleted>|
|Component:||Network||Assignee:||Bernhard Wiedemann <bwiedemann>|
|Status:||RESOLVED INVALID||QA Contact:||E-mail List <qa-bugs>|
|Priority:||P5 - None||CC:||Andreas.Stieger, vcizek|
|Found By:||---||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Deleted Name 2019-03-15 12:44:19 UTC
STR: 1. Install package tor-0.3.4.8-lp126.96.36.199.x86_64 2. torctl start 3. torclt log Result: The log shows a warning abut OpenSSL version mismatch. Excerpt: [...] Mar 15 14:38:30.000 [notice] Tor 0.3.4.8 (git-da95b91355248ad8) opening log file. Mar 15 14:38:30.925 [warn] OpenSSL version from headers does not match the version we're running with. If you get weird crashes, that might be why. (Compiled with 1010008f: OpenSSL 1.1.0h 27 Mar 2018; running with 1010009f: OpenSSL 1.1.0i-fips 14 Aug 2018). Mar 15 14:38:30.938 [notice] Tor 0.3.4.8 (git-da95b91355248ad8) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.0i-fips, Zlib 1.2.11, Liblzma 5.2.3, and Libzstd 1.3.4. [...]
Comment 1 Deleted Name 2019-03-15 12:45:38 UTC
* Step 3 has a typo. Should be 'torctl' not 'tortlc'
Comment 2 Vítězslav Čížek 2019-04-15 11:37:08 UTC
You have installed a different openssl library than the tor package was compiled with. In this case it's a harmless warning. OpenSSL guarantees binary compatibility over letter and the third digit numbers. Eg. 1.1.0i and 1.1.1a are binary compatible. You can check the ABI changes between the openssl versions here: https://abi-laboratory.pro/?view=timeline&l=openssl Starting with the next major release of OpenSSL, there will be a change in the versioning: https://www.openssl.org/policies/releasestrat.html But that's something for the future. To sum it up, the version check in Tor is just too strict. It expects the very same version (the same openssl version number and the version text) for runtime as it was compiled with. I find that unnecessary and the test could certainly be relaxed. I know Tor takes the security of its users seriously, but IMHO here it's just being overly rigorous.
Comment 3 Andreas Stieger 2019-04-15 11:49:20 UTC
expected minor and informational warning