[tor-bugs] #11598 [Tor]: Investigate using of TLSv1_method instead of SSLv23_method
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 13 16:29:30 UTC 2014
#11598: Investigate using of TLSv1_method instead of SSLv23_method
-----------------------------+--------------------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------+--------------------------------
Comment (by nickm):
From the manpage:
{{{
TLSv1_method(void), TLSv1_server_method(void),
TLSv1_client_method(void)
A TLS/SSL connection established with these methods will only
understand the TLSv1 protocol. A client will send out TLSv1
client
hello messages and will indicate that it only understands
TLSv1. A
server will only understand TLSv1 client hello messages. This
especially means, that it will not understand SSLv2 client
hello
messages which are widely used for compatibility reasons, see
SSLv23_*_method(). It will also not understand SSLv3 client
hello
messages.
SSLv23_method(void), SSLv23_server_method(void),
SSLv23_client_method(void)
A TLS/SSL connection established with these methods will
understand
the SSLv2, SSLv3, and TLSv1 protocol. A client will send out
SSLv2
client hello messages and will indicate that it also
understands
SSLv3 and TLSv1. A server will understand SSLv2, SSLv3, and
TLSv1
client hello messages. This is the best choice when
compatibility
is a concern.
}}}
If existing clients are sending out the old ClientHello types, we can't
demand TLS 1.0. But does disabling SSL2 and SSL3 make it send a TLS1
clienthello? Somebody needs to look at the openssl code (ick) this to see
what clients are actually sending.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11598#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list