[tor-bugs] #4744 [Tor Bridge]: GFW probes based on Tor's SSL cipher list
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Mon Jun 4 16:41:47 UTC 2012
#4744: GFW probes based on Tor's SSL cipher list
--------------------------------+-------------------------------------------
Reporter: asn | Owner: nickm
Type: defect | Status: needs_review
Priority: major | Milestone: Tor: 0.2.3.x-final
Component: Tor Bridge | Version:
Keywords: tls fingerprinting | Parent: #4185
Points: | Actualpoints:
--------------------------------+-------------------------------------------
Comment(by asn):
On the server side, if the client's ciphersuites indicate 198-awareness,
maybe passing
`EDH+AES:EDH+3DES:!LOW:!MEDIUM:!NULL:!EDH-RSA-DES-CBC3-SHA`
to `SSL_set_cipher_list()` will do the filtering specified by proposal
198?
{{{
Otherwise, the ClientHello has these semantics: The inclusion of any
cipher supported by OpenSSL 1.0.0 means that the client supports it,
with the exception of
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
which is never supported. Clients MUST advertise support for at least
one of
TLS_DHE_RSA_WITH_AES_256_CBC_SHA or TLS_DHE_RSA_WITH_AES_128_CBC_SHA.
The server MUST choose a ciphersuite with ephemeral keys for forward
secrecy; MUST NOT choose a weak or null ciphersuite; and SHOULD NOT
choose any cipher other than AES or 3DES.
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4744#comment:28>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list