[tor-bugs] #11598 [Tor]: Investigate using of TLSv1_method instead of SSLv23_method
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 15 01:44:54 UTC 2014
#11598: Investigate using of TLSv1_method instead of SSLv23_method
-------------------------+-------------------------------------------------
Reporter: | Owner:
cypherpunks | Status: new
Type: defect | Milestone: Tor: 0.2.6.x-final
Priority: normal | Version:
Component: Tor | Keywords: tor-client 025-backport
Resolution: | 024-backport
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Changes (by nickm):
* keywords: => tor-client 025-backport 024-backport
* milestone: Tor: 0.2.??? => Tor: 0.2.6.x-final
Comment:
We should disable support for negotiating SSL v3. Fortunately, Tor
doesn't do the downgrade-on-fail dance, and Tor doesn't retransmit the
same secrets in multiple TLS sessions (thus severely limiting the
usefulness of a padding oracle attack against Tor's SSL), but thanks to
POODLE, the time has come to drop SSL v3.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11598#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list