[tor-commits] [tor/maint-0.2.4] Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4

nickm at torproject.org nickm at torproject.org
Thu Oct 16 13:08:33 UTC 2014 

commit 943fd4a252ad252d7d594622d5988634ddf8f1fc
Merge: 288b3ec c1c83eb
Author: Nick Mathewson <nickm at torproject.org>
Date:   Thu Oct 16 09:08:32 2014 -0400

    Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4

 changes/disable_sslv3 |    4 ++++
 src/common/tortls.c   |    4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --cc src/common/tortls.c
index c13b12f,11fe220..4222f6d
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@@ -1276,11 -1180,8 +1276,12 @@@ tor_tls_context_new(crypto_pk_t *identi
    if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
      goto error;
    SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
+   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
  
 +  /* Prefer the server's ordering of ciphers: the client's ordering has
 +  * historically been chosen for fingerprinting resistance. */
 +  SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
 +
    /* Disable TLS1.1 and TLS1.2 if they exist.  We need to do this to
     * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
     * June 2012), wherein renegotiating while using one of these TLS
@@@ -1302,18 -1200,12 +1303,19 @@@
     * using them can make our perfect forward secrecy a little worse, *and*
     * create an opportunity to fingerprint us (since it's unusual to use them
     * with TLS sessions turned off).
 +   *
 +   * In 0.2.4, clients advertise support for them though, to avoid a TLS
 +   * distinguishability vector.  This can give us worse PFS, though, if we
 +   * get a server that doesn't set SSL_OP_NO_TICKET.  With luck, there will
 +   * be few such servers by the time 0.2.4 is more stable.
     */
  #ifdef SSL_OP_NO_TICKET
 -  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
 +  if (! is_client) {
 +    SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
 +  }
  #endif
  
+   /* XXX This block is now obsolete. */
    if (
  #ifdef DISABLE_SSL3_HANDSHAKE
        1 ||

More information about the tor-commits mailing list