Bug 1129411 - tor gives a warning about OpenSSL version mismatch
tor gives a warning about OpenSSL version mismatch
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Network
Leap 15.0
x86-64 Other
: P5 - None : Minor (vote)
: ---
Assigned To: Bernhard Wiedemann
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-15 12:44 UTC by Deleted Name
Modified: 2019-04-15 13:10 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Deleted Name 2019-03-15 12:44:19 UTC
STR:

1. Install package tor-0.3.4.8-lp150.2.3.1.x86_64
2. torctl start
3. torclt log

Result:

The log shows a warning abut OpenSSL version mismatch. Excerpt:

[...]
Mar 15 14:38:30.000 [notice] Tor 0.3.4.8 (git-da95b91355248ad8) opening log file.
Mar 15 14:38:30.925 [warn] OpenSSL version from headers does not match the version we're running with. If you get weird crashes, that might be why. (Compiled with 1010008f: OpenSSL 1.1.0h  27 Mar 2018; running with 1010009f: OpenSSL 1.1.0i-fips  14 Aug 2018).
Mar 15 14:38:30.938 [notice] Tor 0.3.4.8 (git-da95b91355248ad8) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.0i-fips, Zlib 1.2.11, Liblzma 5.2.3, and Libzstd 1.3.4.
[...]
Comment 1 Deleted Name 2019-03-15 12:45:38 UTC
* Step 3 has a typo. Should be 'torctl' not 'tortlc'
Comment 2 Vítězslav Čížek 2019-04-15 11:37:08 UTC
You have installed a different openssl library than the tor package was compiled with.
In this case it's a harmless warning.

OpenSSL guarantees binary compatibility over letter and the third digit numbers.
Eg. 1.1.0i and 1.1.1a are binary compatible.

You can check the ABI changes between the openssl versions here:
https://abi-laboratory.pro/?view=timeline&l=openssl

Starting with the next major release of OpenSSL, there will be a change
in the versioning:
https://www.openssl.org/policies/releasestrat.html
But that's something for the future.

To sum it up, the version check in Tor is just too strict.
It expects the very same version (the same openssl version number and
the version text) for runtime as it was compiled with.
I find that unnecessary and the test could certainly be relaxed.

I know Tor takes the security of its users seriously, but IMHO here it's
just being overly rigorous.
Comment 3 Andreas Stieger 2019-04-15 11:49:20 UTC
expected minor and informational warning
Comment 4 Bernhard Wiedemann 2019-04-15 13:10:41 UTC
Trying to upstream a relaxed version check:
https://github.com/torproject/tor/pull/951