Thanks Nick for the fast answer.
I went trough the official OpenSSL cipher docs but also found a nice (probably outdated) list on the stackoverflow.
Ciphers:
no-idea -DOPENSSL_NO_IDEA no-aes -DOPENSSL_NO_AES no-camellia -DOPENSSL_NO_CAMELLIA no-seed -DOPENSSL_NO_SEED no-bf -DOPENSSL_NO_BF no-cast -DOPENSSL_NO_CAST no-des -DOPENSSL_NO_DES no-rc2 -DOPENSSL_NO_RC2 no-rc4 -DOPENSSL_NO_RC4 no-rc5 -DOPENSSL_NO_RC5
no-md2 -DOPENSSL_NO_MD2 no-md4 -DOPENSSL_NO_MD4 no-md5 -DOPENSSL_NO_MD5 no-sha -DOPENSSL_NO_SHA no-ripemd -DOPENSSL_NO_RIPEMD no-mdc2 -DOPENSSL_NO_MDC2
no-rsa -DOPENSSL_NO_RSA no-dsa -DOPENSSL_NO_DSA no-dh -DOPENSSL_NO_DH
no-ec -DOPENSSL_NO_EC no-ecdsa -DOPENSSL_NO_ECDSA no-ecdh -DOPENSSL_NO_ECDH
Non-cipher functionality:
no-sock -DOPENSSL_NO_SOCK No socket code. no-ssl2 -DOPENSSL_NO_SSL2 No SSLv2. no-ssl3 -DOPENSSL_NO_SSL3 No SSLv3. no-err -DOPENSSL_NO_ERR No error strings. no-krb5 -DOPENSSL_NO_KRB5 No Kerberos v5. no-engine -DOPENSSL_NO_ENGINE No dynamic engines. no-hw -DOPENSSL_NO_HW No support for external hardware.
Not documented:
no-tlsext -DOPENSSL_NO_TLSEXT no-cms -DOPENSSL_NO_CMS no-jpake -DOPENSSL_NO_JPAKE no-capieng -DOPENSSL_NO_CAPIENG
I recompiled OpenSSL with the following ciphers disabled: no-krb5 no-ssl2 no-dso no-engines no-hw no-idea no-err \ no-mdc2 no-rc5 no-camellia no-seed no-des no-dsa no-ec \ no-ecdsa no-ecdh no-ripemd no-md2 no-md4 no-cast no-bf \ no-cms no-jpake no-capieng
Enabled: shared threads enable-tlxext zlib
That gets me a nice stripped 1.2MB libcrypto and 300KB libssl.
It does mention OpenSSL has been built with ciphers disabled: Jul 13 15:55:54.000 [notice] We weren't able to find support for all of the TLS ciphersuites that we wanted to advertise. This won't hurt security, but it might make your Tor (if run as a client) more easy for censors to block.
However it works very well, even after clearing the cache it connects very fast, (faster than the mips build) If you happen to know more ciphers that can be disabled (without using router functionality) please let me know.
2012/7/13 Nick Mathewson nickm@alum.mit.edu
On Fri, Jul 13, 2012 at 8:14 AM, Gino Badouri g.badouri@gmail.com wrote:
Hi!
From the OpenSSL documentation it seems that no-hw and no-engines leaves out support for hardware crypto engines so those are safe to set (our devices don't have them).
Could anybody provide us with more "no-" options for ciphers we can skip? Thanks alot!
The absolutely required cryptographic primitives for Tor are AES, SHA1, SHA256, DH, and RSA. This may grow in the future.
Be aware though that being unable to negotiate certain ciphersuites might make your devices more fingerprintable, since starting in 0.2.3.x Tor will no longer advertise openssl-supported ciphersuites that it doesn't have.
-- Nick _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev