[tor-commits] [tor/master] Remove workaround code for broken client-side renegotiation

[nickm at torproject.org]

commit 5bd3290df3254e6ffb3ac80150f8c8217fd0ac66
Author: Nick Mathewson <nickm at torproject.org>
Date:   Wed Oct 7 10:16:37 2015 -0400

    Remove workaround code for broken client-side renegotiation
    
    Since 11150 removed client-side support for renegotiation, we no
    longer need to make sure we have an openssl/TLSvX combination that
    supports it (client-side)
---
 src/common/tortls.c |   17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/src/common/tortls.c b/src/common/tortls.c
index 4321330..86f48a4 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1124,23 +1124,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
   * historically been chosen for fingerprinting resistance. */
   SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
 
-  /* Disable TLS1.1 and TLS1.2 if they exist.  We need to do this to
-   * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
-   * June 2012), wherein renegotiating while using one of these TLS
-   * protocols will cause the client to send a TLS 1.0 ServerHello
-   * rather than a ServerHello written with the appropriate protocol
-   * version.  Once some version of OpenSSL does TLS1.1 and TLS1.2
-   * renegotiation properly, we can turn them back on when built with
-   * that version. */
-#if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,1,'e')
-#ifdef SSL_OP_NO_TLSv1_2
-  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
-#endif
-#ifdef SSL_OP_NO_TLSv1_1
-  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
-#endif
-#endif
-
   /* Disable TLS tickets if they're supported.  We never want to use them;
    * using them can make our perfect forward secrecy a little worse, *and*
    * create an opportunity to fingerprint us (since it's unusual to use them