[tor-commits] [tor/release-0.3.3] Tell openssl to build its TLS contexts with security level 1

nickm at torproject.org nickm at torproject.org
Fri Sep 7 13:16:04 UTC 2018


commit 2ec88a2a6ddef1b916425438b9648879a977b120
Author: Nick Mathewson <nickm at torproject.org>
Date:   Fri Sep 7 08:57:14 2018 -0400

    Tell openssl to build its TLS contexts with security level 1
    
    Fixes bug 27344, where we'd break compatibility with old tors by
    rejecting RSA1024 and DH1024.
---
 changes/bug27344    | 4 ++++
 configure.ac        | 1 +
 src/common/tortls.c | 6 +++++-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/changes/bug27344 b/changes/bug27344
new file mode 100644
index 000000000..9f6685558
--- /dev/null
+++ b/changes/bug27344
@@ -0,0 +1,4 @@
+  o Minor features (compatibility):
+    - Tell OpenSSL to maintain backward compatibility with previous
+      RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these ciphers
+      are disabled by default. Closes ticket 27344.
diff --git a/configure.ac b/configure.ac
index 76b3f423a..5ac3579d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -678,6 +678,7 @@ AC_CHECK_FUNCS([ \
                 SSL_get_client_ciphers \
                 SSL_get_client_random \
 		SSL_CIPHER_find \
+                SSL_CTX_set_security_level \
 		TLS_method
 	       ])
 
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 4cbe8b10e..1f2fe1ce1 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1130,6 +1130,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
   if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
     goto error;
 #endif
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+  /* Level 1 re-enables RSA1024 and DH1024 for compatibility with old tors */
+  SSL_CTX_set_security_level(result->ctx, 1);
+#endif
+
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
 
@@ -2555,4 +2560,3 @@ evaluate_ecgroup_for_tls(const char *ecgroup)
 
   return ret;
 }
-





More information about the tor-commits mailing list