[tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Jan 4 22:19:12 UTC 2012
#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
------------------------+---------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: critical | Milestone: Tor: 0.2.1.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by nickm):
Have a look at branch "bug4822_021" in my public repo.
I considered an approach where we would allow any handshake, but disallow
any SSL3 ciphers so that the handshake would fail if the ssl3 handshake
were actually tried. Problem was, openssl allows tls1 ciphers with the
ssl3 handshake, so that wouldn't have worked. (Thanks to asn for testing
that.)
This needs review and a changes file.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list