[tor-relays] relay's count handshake versions, why not TLS handshake types?
starlight.2015q2 at binnacle.cx
starlight.2015q2 at binnacle.cx
Sun Aug 2 17:28:44 UTC 2015
Of course! This is implicit in my posting.
What I am saying is that, like old v1/v2
handshakes, Tor should be moving in the
direction of eliminating DHE. The
way to approach that is to *count*
the number of DHE handshakes and
other TLS session attributes. This
is currently begin done for TOR/NTOR
handshakes but is not for TLS negotiations.
0.2.7 will not build/run with openssl
0.9.8, so once 0.2.7 is widely deployed
DHE can be forcibly disabled.
BUT, as with v1/v2 handshakes, one
would not want to do that prematurely
so counting them is a good idea.
That suggesting is the principle
idea of the thread.
At 20:01 8/2/2015 +0300, you wrote:
>I think that is to maintain a backward
>compatibility. Tor tries as hard as possible to
>maintain backward compatibility with older
>versions, unless something critical which requires
>deprecation regardless some relays will disappear
>from the consensus.
>
>I guess this is the reason we currently prefer
>ECDHE but do not reject DHE. In the future, when
>we are certain everyone upgraded to new enough
>OpenSSL, we can safely reject DHE all the time.
>
More information about the tor-relays
mailing list