commit 5bd3290df3254e6ffb3ac80150f8c8217fd0ac66 Author: Nick Mathewson nickm@torproject.org Date: Wed Oct 7 10:16:37 2015 -0400

Remove workaround code for broken client-side renegotiation

Since 11150 removed client-side support for renegotiation, we no longer need to make sure we have an openssl/TLSvX combination that supports it (client-side) --- src/common/tortls.c | 17 ----------------- 1 file changed, 17 deletions(-)

diff --git a/src/common/tortls.c b/src/common/tortls.c index 4321330..86f48a4 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1124,23 +1124,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, * historically been chosen for fingerprinting resistance. */ SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);

- /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to - * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 - * June 2012), wherein renegotiating while using one of these TLS - * protocols will cause the client to send a TLS 1.0 ServerHello - * rather than a ServerHello written with the appropriate protocol - * version. Once some version of OpenSSL does TLS1.1 and TLS1.2 - * renegotiation properly, we can turn them back on when built with - * that version. */ -#if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,1,'e') -#ifdef SSL_OP_NO_TLSv1_2 - SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2); -#endif -#ifdef SSL_OP_NO_TLSv1_1 - SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1); -#endif -#endif - /* Disable TLS tickets if they're supported. We never want to use them; * using them can make our perfect forward secrecy a little worse, *and* * create an opportunity to fingerprint us (since it's unusual to use them