[tor-relays] relay's count handshake versions, why not TLS handshake types?
s7r
s7r at sky-ip.org
Sun Aug 2 17:01:16 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
I think that is to maintain a backward compatibility. Tor tries as
hard as possible to maintain backward compatibility with older
versions, unless something critical which requires deprecation
regardless some relays will disappear from the consensus.
I guess this is the reason we currently prefer ECDHE but do not reject
DHE. In the future, when we are certain everyone upgraded to new
enough OpenSSL, we can safely reject DHE all the time.
On 8/2/2015 6:57 PM, starlight.2015q2 at binnacle.cx wrote:
> At 08:26 8/2/2015 -0700, you wrote:
>> It also may not tell you their ordering preference (but it might!
>> again, you'd have to look at the code.)
>
> That "openssl s_client" test I ran was against my 0.2.6.10 with
> openssl 1.0.2 relay.
>
> It's certain that ECDHE is preferred over DHE, but my thought is
> that, especially with 0.2.7 dropping openssl 0.9.8 (no ECDHE), that
> relays should refuse to accept DHE connections entirely.
>
> We've seen many downgrade attacks and who knows for certain if none
> remain buried in the openssl? Seems prudent to kill-off DHE.
>
> _______________________________________________ tor-relays mailing
> list tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBCAAGBQJVvkzcAAoJEIN/pSyBJlsRb+cH/28mx151I91uZT8buZwyAA3q
S1HYrNayFkb7jfSTxc11HLF6TBICH85ENlpxvMRdHVB8+rQsL50+4M39+adBSgwx
wV49UthoSK8sIjQet5e59STE+8afCa/BWXyfktQmehl4If3VXtWwE79LqKn6pfI3
aQ1iufhhkBDcRzFa0LeOI8S7Ui+WhuJcyczcPlu7A8sl6xu2tFD1v0MIsZaGeZSu
wUYiDdMtdVypkf8+NH7ddQPzvUU9pVTfSCj/Fa7z5Jr+tddLGLwiTyx0gR0nFjAm
s4O65LO8p6RPz7ExAwKc6a3uY4GTMS9aklEWfmPTfAIkT1k/zvhiV+JbiXeGqJ8=
=b48O
-----END PGP SIGNATURE-----
More information about the tor-relays
mailing list