[tor-bugs] #11528 [Tor]: Consider using SSL_OP_CIPHER_SERVER_PREFERENCE
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 15 20:56:23 UTC 2014
#11528: Consider using SSL_OP_CIPHER_SERVER_PREFERENCE
----------------------------------------+----------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor:
Component: Tor | 0.2.5.x-final
Keywords: tor-relay tls 024-backport | Version:
Parent ID: | Actual Points:
| Points:
----------------------------------------+----------------------------------
With #11513, we gave the servers a reasonable set of ciphers to allow. On
that ticket, cypherpunks notes:
>By default server follows client's preference. It depends
SSL_OP_CIPHER_SERVER_PREFERENCE option. Is it worth to prevent any
possible client's insecure choice or to allow client to chose it's own
destiny? (if something wrong with one of cipher then client's software
would be updated faster)
>Either way, server's cipher list should be ordered for clarity, just in
case and for future.
So to be clear, my understanding is that the algorithm is to take the
intersection of the client's list and the server's list, and then pick the
item in the intersection that appeared first on the client's order (by
default) or the item in the intersection that appeared first on the
server's list (if SSL_OP_CIPHER_SERVER_PREFERENCE is set on the server).
Which way shall we do it?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11528>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list