[tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Jan 6 22:19:44 UTC 2012
#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
---------------------------+------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: reopened
Priority: critical | Milestone: Tor: 0.2.1.x-final
Component: Tor Client | Version:
Resolution: | Keywords:
Parent: | Points:
Actualpoints: |
---------------------------+------------------------------------------------
Comment(by asn):
This is what wanoskarnet said, before the comment that arma pasted in
comment:33.
{{{
< wanoskarnet> "Tell OpenSSL to only use TLS1. This would actually break
compatibility with clients that are configured to use SSLv23_method()". it
is wrong statement. SSLv23 client
sends ProtocolVersion that indicates understanding TLSv1 so
server well understand it. Docs means SSLv3 clients that never sends
ProtocolVersion == TLSv1 only SSLv3, not
a SSLv23 clients.
< wanoskarnet> Tor never used SSLv2 compatiblity so client hello exactly
SSLv3.1(TLSv1) looking like.
< wanoskarnet> Tor client which uses SSLv23_method can work with a server
which uses TLSv1_method. You missed "SSL_OP_NO_SSLv2" while disscuss
#4822.
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822#comment:35>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list