[tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Mon Jan 9 21:13:37 UTC 2012
#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
---------------------------+------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: closed
Priority: critical | Milestone: Tor: 0.2.1.x-final
Component: Tor Client | Version:
Resolution: fixed | Keywords:
Parent: | Points:
Actualpoints: |
---------------------------+------------------------------------------------
Changes (by nickm):
* status: reopened => closed
* resolution: => fixed
Comment:
Okay, so if I understand correctly, wanoskarnet is saying that our reading
of the TLSv1_method() documentation and the SSLv23_method() documentation
is wrong: that a TLSv1_method() client can connect perfectly well to a
SSLv23_method() server, and vice versa.
I'm attaching a quick&dirty test program to demonstrate this (using some
code from libevent and some from the openssl docs).
This doesn't mean that we need any changes in the code, except for fixing
the comment to be correct. I'll do that after I attach the demo code.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822#comment:36>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list