[tor-commits] [tor/release-0.2.4] Re-enable TLS 1.[12] when building with OpenSSL >= 1.0.1e

arma at torproject.org arma at torproject.org
Sat Nov 2 10:31:24 UTC 2013 

commit ad763a336cb3655151383172bcfa658870ad8950
Author: Nick Mathewson <nickm at torproject.org>
Date:   Tue Aug 13 23:43:39 2013 -0400

    Re-enable TLS 1.[12] when building with OpenSSL >= 1.0.1e
    
    To fix #6033, we disabled TLS 1.1 and 1.2.  Eventually, OpenSSL fixed
    the bug behind #6033.
    
    I've considered alternate implementations that do more testing to see
    if there's secretly an OpenSSL 1.0.1c or something that secretly has a
    backport of the OpenSSL 1.0.1e fix, and decided against it on the
    grounds of complexity.
---
 changes/bug6055     |    6 ++++++
 src/common/tortls.c |    3 +++
 2 files changed, 9 insertions(+)

diff --git a/changes/bug6055 b/changes/bug6055
new file mode 100644
index 0000000..0073007
--- /dev/null
+++ b/changes/bug6055
@@ -0,0 +1,6 @@
+  o Major enhancements:
+    - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later.
+      (OpenSSL before 1.0.1 didn't have TLS 1.1 or 1.2. OpenSSL from 1.0.1
+      through 1.0.1d had bugs that prevented renegotiation from working
+      with TLS 1.1 or 1.2, so we disabled them to solve bug 6033.) Fix for
+      issue #6055.
diff --git a/src/common/tortls.c b/src/common/tortls.c
index b7e5bc1..90ebb75 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1269,12 +1269,15 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
    * version.  Once some version of OpenSSL does TLS1.1 and TLS1.2
    * renegotiation properly, we can turn them back on when built with
    * that version. */
+#if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,1,'e')
 #ifdef SSL_OP_NO_TLSv1_2
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
 #endif
 #ifdef SSL_OP_NO_TLSv1_1
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
 #endif
+#endif
+
   /* Disable TLS tickets if they're supported.  We never want to use them;
    * using them can make our perfect forward secrecy a little worse, *and*
    * create an opportunity to fingerprint us (since it's unusual to use them

More information about the tor-commits mailing list