commit 943fd4a252ad252d7d594622d5988634ddf8f1fc
Merge: 288b3ec c1c83eb
Author: Nick Mathewson <nickm(a)torproject.org>
Date: Thu Oct 16 09:08:32 2014 -0400
Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4
changes/disable_sslv3 | 4 ++++
src/common/tortls.c | 4 +++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --cc src/common/tortls.c
index c13b12f,11fe220..4222f6d
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@@ -1276,11 -1180,8 +1276,12 @@@ tor_tls_context_new(crypto_pk_t *identi
if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
goto error;
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
+ SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
+ /* Prefer the server's ordering of ciphers: the client's ordering has
+ * historically been chosen for fingerprinting resistance. */
+ SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+
/* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to
* workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
* June 2012), wherein renegotiating while using one of these TLS
@@@ -1302,18 -1200,12 +1303,19 @@@
* using them can make our perfect forward secrecy a little worse, *and*
* create an opportunity to fingerprint us (since it's unusual to use them
* with TLS sessions turned off).
+ *
+ * In 0.2.4, clients advertise support for them though, to avoid a TLS
+ * distinguishability vector. This can give us worse PFS, though, if we
+ * get a server that doesn't set SSL_OP_NO_TICKET. With luck, there will
+ * be few such servers by the time 0.2.4 is more stable.
*/
#ifdef SSL_OP_NO_TICKET
- SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
+ if (! is_client) {
+ SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
+ }
#endif
+ /* XXX This block is now obsolete. */
if (
#ifdef DISABLE_SSL3_HANDSHAKE
1 ||