[tor-bugs] #7139 [Tor]: Tor involuntarily sets TLS session tickets
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Oct 17 20:33:14 UTC 2012
#7139: Tor involuntarily sets TLS session tickets
-------------------------+--------------------------------------------------
Reporter: nextgens | Type: defect
Status: new | Priority: normal
Milestone: | Component: Tor
Version: | Keywords: ssl tls security pfs
Parent: | Points:
Actualpoints: |
-------------------------+--------------------------------------------------
This is bad for at least two reasons:
1) performance: It increases the size (~160bytes) of the ChangeCipherSpec
message during the handshake; it also makes the server encrypt and hmac
the ticket
2) security: It has implications regarding the PFS interval (no immediate
security concern here as the server certificates are ephemeral;
MAX_SSL_KEY_LIFETIME_INTERNAL = 2h atm) and exposes more attack surface
than strictly necessary (Tor doesn't use the tickets in any case: that's
why it disables the session-cache)
To disable session-tickets altogether (TLS1+ feature), one should use:
SSL_CTX_set_options(... , ...|SSL_OP_NO_TICKET)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7139>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list