[tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Jan 5 02:33:03 UTC 2012
#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
------------------------+---------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: needs_review
Priority: critical | Milestone: Tor: 0.2.1.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by nickm):
Replying to [comment:15 rransom]:
> The dangerous case could happen with packages for one Linux distribution
used on a different distribution (e.g. packages built on and for Ubuntu
used on Mint, before Mint updates its OpenSSL packages).
Okay. Then I'd say, "do this whenever the runtime version looks bad or the
compile-time version looks bad."
> But if there is no reason to try to enable SSL 3 whenever it is safe to
do so, we shouldn't make this change depend on OpenSSL's version at all.
I think we think it might help for profiling resistance. I don't want to
make extra changes to our default SSL profile back to 0.2.1 and 0.2.2 as
part of this ticket without significant further analysis. This is a
"let's make sure that the SSL vulnerability doesn't bite our users"
ticket, not a "and while we're here, let's throw out parts of our SSL
profile that we think we can do without" ticket.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list