Apple broke OpenSSL which breaks Tor on OS X

by phobos | January 27, 2010

Apple OS X Security Update 2010-001 removes OpenSSL renegotation, http://support.apple.com/kb/HT1222. We've filed a bug report with Apple on this issue. Their standard response so far is http://support.apple.com/kb/HT4004.

In the meanwhile, we have bug #1225 open, https://bugs.torproject.org/flyspray/index.php?do=details&id=1225. Add yourself to the Notifications if you want updates as they happen. A fine explanation of why Tor is not affected by the TLS renegotiation bug can be found at https://bugs.torproject.org/flyspray/index.php?do=details&id=1225&area=…

Packages for testing are available at:
https://sedvblmbog.tudasnich.de/dist/testing/

READ THIS FINE PRINT:

  1. These will only work on OSX 10.5 and 10.6 (both i386 and powerpc). Tor fails to compile when using the 10.4 libraries and static openssl.
  2. Tor-0.2.2.8-alpha-i386-Bundle.dmg is compiled to replace the tor
    binaries in /Applications/Vidalia.app/Contents/MacOS only. If your tor
    is located elsewhere, compile your own for now.
  3. let us know if they work for you. My testing systems show it works
    for me. Update
    https://bugs.torproject.org/flyspray/index.php?do=details&id=1225 if it
    doesn't work or you have other issues with these testing packages.

I'm still working on os x 10.4 packages.

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

January 27, 2010

Permalink

Thanks phobos, the 0.2.2.8-alpha build works on my mac - posting from within China's GFW :)

Anonymous (not verified) said:

January 28, 2010

Permalink

The tor bundle puts binaries in the wrong location. I believe in /Applications/Vidalia.app/Contents. You have to move them to MacOS. Once this is done, tor connects again.

Anonymous (not verified) said:

January 28, 2010

Permalink

The tor bundle puts binaries in the wrong location. I believe in /Applications/Vidalia.app/Contents. You have to move them to MacOS. Once this is done, tor connects again.

Anonymous (not verified) said:

January 28, 2010

Permalink

Can I just say that I (we) really appreciate your (anyone's) dedication to this project and the efficiency with which this problem has been identified and (mostly) dealt with in a professional and officiated manner. Thank you.

Anonymous (not verified) said:

January 28, 2010

Permalink

Also posting from within China's de facto intranet.
I really had a fright and thought they had managed to block most of the bridges.
Thanks for the quick fix!

Anonymous (not verified) said:

January 29, 2010

Permalink

I would really appreciate if someone could please spell out how to fix this in language that can be understood by someone who lacks the computing skills which most of you seem to share. Which buttons do I press in what order please?

From what I understand, the latest Apple security update which you probably downloaded for your computer disabled something Tor needs to work called "OpenSSL". It was found that it could leak information so it was disabled by Apple as a "preventive security measure" until they fix the problem.

If you're using Tor then you probably don't want a leak in the pipeline spilling your sensitive data right? Apple is trying to help keep things more secure. You'll just have to wait until Apple re-enables it - hopefully soon with the Security Update.

I myself don't know how to undo it if you already installed the security update, but if you have Time Machine backup running, it may be possible to roll back on to a period before the system update and Tor may work once again. Otherwise, I can't say how to fix it. Another suggestion floating around was to use an older version of Tor/Vidalia if you can find one and install that.

Hope this helps.

OpenSSL was not disabled, it was patched to disable TLS renegotiation temporarily while the protocol is repaired.
In terms of fixing Tor, you can either wait for a further OSX update or go to https://sedvblmbog.tudasnich.de/dist/osx/ and download Tor-X.X.X.X-alpha-i386-Bundle.dmg (I downloaded 0.2.2.9). Then open the image and run the installer. After that Vidalia should work.

Anonymous (not verified) said:

January 29, 2010

Permalink

The 0.2.2.8-alpha installer puts the updated files in /Applications/Vidalia.app (alongside the "Contents" folder), so it doesn't work. As another user reported, manually moving the four files into /Applications/Vidalia.app/Contents/MacOS/ fixes the problem. Note that there are more than four files in that directory, but this update is replacing only four of them.

Anonymous (not verified) said:

January 31, 2010

Permalink

I'm running Tor on a Mac OSX 10.5.8 and had all the problems described after installing the Apple security update recently. I've just installed vidalia-bundle-0.2.2.8-alpha-0.2.7-i386.dmg and Tor is back up and running again.

Great work, thanks a bundle.

Anonymous (not verified) said:

January 31, 2010

Permalink

"plain language" instructions as to how it worked for me.

Delete your current Vidalia application and delete the TOR folder in library/application support

Go to https://sedvblmbog.tudasnich.de/dist/testing/
download vidalia-bundle-0.2.2.8-alpha-0.2.7-i386 or PPC depending on your mac. I simply installed this and TOR worked

I don't think you need to install Tor-0.2.2.8-alpha-i386-Bundle (or PPC) but I could be wrong

Anonymous (not verified) said:

February 07, 2010

Permalink

Is it just a coincidence, or is Tor now running more snappily than before?

I followed the instructions given by another commentator to repair the glitch and after installing the 0.2.2.8 alpha bundle I've noticed that the sites I visit using Vidalia-Tor load faster than before, even while using familiar relays, I like the fact that out of a glitch I seem to have wound up with a more efficient Tor experience.

Anonymous (not verified) said:

February 11, 2010

Permalink

Steve Jobs loves Mahmoud Amadinejahd..

this update is bloking apple user to help tor user during this hot days .... not a month ago... today ...

Anonymous (not verified) said:

March 05, 2010

Permalink

Brilliant, thank you. I have been trying various recompiles of tor and openssl for about a week with no luck. This works!

Anonymous (not verified) said:

April 17, 2010

Permalink

Dear All,
I'm new in Mac, I try install all differente dmg files of vidalia from torproject.com page, but all of them come back saying " the following disk image failure mounted (file not recognized":

vidalia-bundle-0.2.1.25-0.2.7-i386.dmg
vidalia-bundle-0.2.1.25-0.2.7-ppc.dmg
and the other too....

I have try both i386 and ppc, could not install at all, I'm using a leopard 10.5.8 .... can anyone help out.

thanks guys, that will help me go out of China GFW....

Anonymous (not verified) said:

June 10, 2010

Permalink

Here's my problem:
DL'd latest Vidalia bundle (0.2.9)...no installer in the bundle. Only Vidalia, which you drag to your Applications folder. I dumped the old Vidalia, and looked for TOR in the Library>Application Support folder, and it wasn't there. I checked the contents of the app, and all the files are in their proper folders. (So that when I show the contents, there is one folder (Content) with three folders (Frameworks, MacOS, and Resources) and one file (info.plist). There are no stray files, in other words.

When I start up Vidalia, though, its icon gets a big red X and it tells me it can't start. Can someone please give a tutorial so we dweebs can fix it?

Anonymous (not verified) said:

March 29, 2011

Permalink

Attempting to run Tor on Mac OS X 10.4.11 on PowerPC, specifically an iBook G3. This is the most recent version of Mac OS X that works on an iBook G3. Both stable and unstable bundles fail to start. Advice?