[tor-commits] [tor/master] Change servers to never pick 3DES.
nickm at torproject.org
nickm at torproject.org
Tue Sep 13 12:54:49 UTC 2016
commit c2d1356739992e1df16e2f0fce6cedb5d4396323
Author: Nick Mathewson <nickm at torproject.org>
Date: Mon Sep 5 14:09:14 2016 -0400
Change servers to never pick 3DES.
Closes ticket 19998.
---
changes/bug19998 | 6 ++++++
src/common/tortls.c | 11 +++--------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/changes/bug19998 b/changes/bug19998
new file mode 100644
index 0000000..d01589d
--- /dev/null
+++ b/changes/bug19998
@@ -0,0 +1,6 @@
+ o Minor features (security, TLS):
+ - Servers no longer support clients that do not provide AES
+ ciphersuites. (3DES is no longer considered an acceptable
+ cipher.) We believe that no such clients currently exist,
+ since we have required OpenSSL 0.9.7 or later since 2009.
+ Closes ticket 19998.
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 23889be..cf3c8ab 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -552,8 +552,7 @@ MOCK_IMPL(STATIC X509 *,
* claiming extra unsupported ciphers in order to avoid fingerprinting. */
#define SERVER_CIPHER_LIST \
(TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \
- TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \
- SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
+ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
/** List of ciphers that servers should select from when we actually have
* our choice of what cipher to use. */
@@ -593,12 +592,8 @@ static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
/* Required */
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
/* Required */
- TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
- TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":"
-#endif
- /* Required */
- SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
+ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
+ ;
/* Note: to set up your own private testing network with link crypto
* disabled, set your Tors' cipher list to
More information about the tor-commits
mailing list