[tor-dev] Minimum required ciphers for running Tor as both client and router.
g.badouri at gmail.com
Fri Jul 13 14:06:52 UTC 2012
Thanks Nick for the fast answer.
I went trough the official OpenSSL cipher docs but also found a nice
(probably outdated) list on the stackoverflow.
no-sock -DOPENSSL_NO_SOCK No socket code.
no-ssl2 -DOPENSSL_NO_SSL2 No SSLv2.
no-ssl3 -DOPENSSL_NO_SSL3 No SSLv3.
no-err -DOPENSSL_NO_ERR No error strings.
no-krb5 -DOPENSSL_NO_KRB5 No Kerberos v5.
no-engine -DOPENSSL_NO_ENGINE No dynamic engines.
no-hw -DOPENSSL_NO_HW No support for external hardware.
I recompiled OpenSSL with the following ciphers disabled:
no-krb5 no-ssl2 no-dso no-engines no-hw no-idea no-err \
no-mdc2 no-rc5 no-camellia no-seed no-des no-dsa no-ec \
no-ecdsa no-ecdh no-ripemd no-md2 no-md4 no-cast no-bf \
no-cms no-jpake no-capieng
shared threads enable-tlxext zlib
That gets me a nice stripped 1.2MB libcrypto and 300KB libssl.
It does mention OpenSSL has been built with ciphers disabled:
Jul 13 15:55:54.000 [notice] We weren't able to find support for all
of the TLS ciphersuites that we wanted to advertise. This won't hurt
security, but it might make your Tor (if run as a client) more easy
for censors to block.
However it works very well, even after clearing the cache it connects
very fast, (faster than the mips build)
If you happen to know more ciphers that can be disabled (without using
router functionality) please let me know.
2012/7/13 Nick Mathewson <nickm at alum.mit.edu>
> On Fri, Jul 13, 2012 at 8:14 AM, Gino Badouri <g.badouri at gmail.com> wrote:
> > From the OpenSSL documentation it seems that no-hw and no-engines leaves out
> > support for hardware crypto engines so those are safe to set (our devices
> > don't have them).
> > Could anybody provide us with more "no-" options for ciphers we can skip?
> > Thanks alot!
> The absolutely required cryptographic primitives for Tor are AES,
> SHA1, SHA256, DH, and RSA. This may grow in the future.
> Be aware though that being unable to negotiate certain ciphersuites
> might make your devices more fingerprintable, since starting in
> 0.2.3.x Tor will no longer advertise openssl-supported ciphersuites
> that it doesn't have.
> tor-dev mailing list
> tor-dev at lists.torproject.org
More information about the tor-dev