mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-14 07:03:44 +01:00
Merge remote-tracking branch 'public/ticket11528_024' into maint-0.2.4
This commit is contained in:
commit
0ad8133a7e
6
changes/ticket11528
Normal file
6
changes/ticket11528
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
o Minor features:
|
||||||
|
- Servers now trust themselves to have a better view than clients of
|
||||||
|
which TLS ciphersuites to choose. (Thanks to #11513, the server
|
||||||
|
list is now well-considered, whereas the client list has been
|
||||||
|
chosen mainly for anti-fingerprinting purposes.) Resolves ticket
|
||||||
|
11528.
|
@ -1277,6 +1277,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
|
|||||||
goto error;
|
goto error;
|
||||||
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
|
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
|
||||||
|
|
||||||
|
/* Prefer the server's ordering of ciphers: the client's ordering has
|
||||||
|
* historically been chosen for fingerprinting resistance. */
|
||||||
|
SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||||
|
|
||||||
/* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to
|
/* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to
|
||||||
* workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
|
* workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
|
||||||
* June 2012), wherein renegotiating while using one of these TLS
|
* June 2012), wherein renegotiating while using one of these TLS
|
||||||
|
Loading…
Reference in New Issue
Block a user