[tor-bugs] #24978 [Core Tor/Tor]: Tor doesn't work when built with (unreleased) OpenSSL 1.1.1 built with enable-tls1_3
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Feb 10 03:22:36 UTC 2018
#24978: Tor doesn't work when built with (unreleased) OpenSSL 1.1.1 built with
enable-tls1_3
-------------------------------------------------+-------------------------
Reporter: nickm | Owner: nickm
Type: defect | Status:
| merge_ready
Priority: Medium | Milestone: Tor:
| 0.3.3.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: 029-backport, 031-backport, | Actual Points:
032-backport, openssl, review-group-31 |
Parent ID: | Points:
Reviewer: isis | Sponsor:
-------------------------------------------------+-------------------------
Changes (by isis):
* status: needs_review => merge_ready
Comment:
IMHO we should merge `bug24978_029_enable`, because opportunistically
speaking the cleaner, better-designed TLS protocol with the nicer ciphers
would be preferable to simply disabling it (assuming everything about our
current link protocol will still function in a TLS 1.3 context).
One note:
* `"TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256
-GCM-SHA384:"` is the default ciphersuite list/ordering for OpenSSL 1.1.1.
Ours is going to now be `"TLS13-AES-256-GCM-
SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-
SHA256:TLS13-AES-128-CCM-SHA256:[…]"` (plus some other stuff). I don't
know if or how much we should care about what will probably eventually
result in a preference reordering. This means older link protocol tors
will be distinguishable from newer ones, but they'll look different
anyway, so merge at your call.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24978#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list