[tor-bugs] #6055 [Tor Relay]: Re-enable TLS 1.1 and TLS 1.2 once they are fixed
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Mon Jun 4 16:12:15 UTC 2012
#6055: Re-enable TLS 1.1 and TLS 1.2 once they are fixed
-------------------------+--------------------------------------------------
Reporter: nickm | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Tor: 0.2.3.x-final
Component: Tor Relay | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
See #6033 for why we needed to disable TLS1.1 and TLS1.2.
We'd like to turn them back on once OpenSSL 1.0.1d comes out with the
bugfix. The easiest way to do that will be to make the whole block that
disables them conditional on the compile-time OpenSSL version.
Of course, we'll have the obvious problem: many vendors will only
partially backport openssl changes, and will not bump the OpenSSL version
when they do so. We should see where and how this is a problem: Right
now, Ubuntu 12.04 (LTS!? :( ) seems to be the likeliest place for a
problem to occur here, since it's shipping a patched 1.0.1 that it calls
1.0.1-4.
If we decide we need to re-enable TLS on these platforms too, here are the
options I can think of:
* Try renegotiation with TLS 1.2 with ourselves at runtime. If that
fails, disable TLS 1.1 and TLS 1.2.
* Have a compile-time or runtime option that tells us that openssl has
been fixed.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6055>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list