commit 943fd4a252ad252d7d594622d5988634ddf8f1fc Merge: 288b3ec c1c83eb Author: Nick Mathewson nickm@torproject.org Date: Thu Oct 16 09:08:32 2014 -0400

Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4

changes/disable_sslv3 | 4 ++++ src/common/tortls.c | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-)

diff --cc src/common/tortls.c index c13b12f,11fe220..4222f6d --- a/src/common/tortls.c +++ b/src/common/tortls.c @@@ -1276,11 -1180,8 +1276,12 @@@ tor_tls_context_new(crypto_pk_t *identi if (!(result->ctx = SSL_CTX_new(SSLv23_method()))) goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);

+ /* Prefer the server's ordering of ciphers: the client's ordering has + * historically been chosen for fingerprinting resistance. */ + SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 * June 2012), wherein renegotiating while using one of these TLS @@@ -1302,18 -1200,12 +1303,19 @@@ * using them can make our perfect forward secrecy a little worse, *and* * create an opportunity to fingerprint us (since it's unusual to use them * with TLS sessions turned off). + * + * In 0.2.4, clients advertise support for them though, to avoid a TLS + * distinguishability vector. This can give us worse PFS, though, if we + * get a server that doesn't set SSL_OP_NO_TICKET. With luck, there will + * be few such servers by the time 0.2.4 is more stable. */ #ifdef SSL_OP_NO_TICKET - SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET); + if (! is_client) { + SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET); + } #endif

+ /* XXX This block is now obsolete. */ if ( #ifdef DISABLE_SSL3_HANDSHAKE 1 ||