[tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Jan 4 23:47:30 UTC 2012
#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
------------------------+---------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: needs_review
Priority: critical | Milestone: Tor: 0.2.1.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by nickm_mobile):
Replying to [comment:6 rransom]:
> Replying to [comment:5 rransom]:
> > This needs to be tested to determine whether a server which uses
`TLSv1_method` can receive a connection from a client which uses
`SSLv23_method`. (When I read the OpenSSL documentation for those, it
sort of hinted that that would not work.)
>
> BZZZT! Wrong. The documentation (`SSL_CTX_new(3ssl)`) says quite
explicitly that that will not work:
Ugh. So that patch would break compatibility with existing tors. Yuck.
We could have clients use TLSv1_method, at least. That would be something.
Servers would probably need some disgusting hackery of the info_cb
variety.
Any other ideas?
> Can we afford to throw away all relays run on RHEL/CentOS and other crap
OSes whose OpenSSL packages lie about their versions?
Does anybody claim to have a later openssl version than they really have?
I thought they all were claiming too early.or about right. Any
documentation there?
(Using flyspray from phone is pretty hard, ow)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list