[tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Jan 5 06:16:54 UTC 2012
#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
------------------------+---------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: needs_review
Priority: critical | Milestone: Tor: 0.2.1.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by rransom):
Replying to [comment:6 rransom]:
> Replying to [comment:5 rransom]:
> > This needs to be tested to determine whether a server which uses
`TLSv1_method` can receive a connection from a client which uses
`SSLv23_method`. (When I read the OpenSSL documentation for those, it
sort of hinted that that would not work.)
>
> BZZZT! Wrong. The documentation (`SSL_CTX_new(3ssl)`) says quite
explicitly that that will not work:
That chunk of documentation is out of date for clients using OpenSSL 1.0.0
or later. From the CHANGES file:
{{{
Changes between 0.9.8n and 1.0.0 [29 Mar 2010]
}}}
{{{
*) If no SSLv2 ciphers are used don't use an SSLv2 compatible client
hello:
this allows the use of compression and extensions. Change default
cipher
string to remove SSLv2 ciphersuites. This effectively avoids ancient
SSLv2
by default unless an application cipher string requests it.
[Steve Henson]
}}}
But I expect that clients using `SSLv23_method` still won't be able to
connect to servers using `TLSv1_method`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822#comment:25>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list