mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-30 23:53:32 +01:00
Remove workaround code for broken client-side renegotiation
Since 11150 removed client-side support for renegotiation, we no longer need to make sure we have an openssl/TLSvX combination that supports it (client-side)
This commit is contained in:
parent
6505d529a5
commit
5bd3290df3
@ -1124,23 +1124,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
|
|||||||
* historically been chosen for fingerprinting resistance. */
|
* historically been chosen for fingerprinting resistance. */
|
||||||
SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||||
|
|
||||||
/* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to
|
|
||||||
* workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
|
|
||||||
* June 2012), wherein renegotiating while using one of these TLS
|
|
||||||
* protocols will cause the client to send a TLS 1.0 ServerHello
|
|
||||||
* rather than a ServerHello written with the appropriate protocol
|
|
||||||
* version. Once some version of OpenSSL does TLS1.1 and TLS1.2
|
|
||||||
* renegotiation properly, we can turn them back on when built with
|
|
||||||
* that version. */
|
|
||||||
#if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,1,'e')
|
|
||||||
#ifdef SSL_OP_NO_TLSv1_2
|
|
||||||
SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
|
|
||||||
#endif
|
|
||||||
#ifdef SSL_OP_NO_TLSv1_1
|
|
||||||
SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Disable TLS tickets if they're supported. We never want to use them;
|
/* Disable TLS tickets if they're supported. We never want to use them;
|
||||||
* using them can make our perfect forward secrecy a little worse, *and*
|
* using them can make our perfect forward secrecy a little worse, *and*
|
||||||
* create an opportunity to fingerprint us (since it's unusual to use them
|
* create an opportunity to fingerprint us (since it's unusual to use them
|
||||||
|
Loading…
Reference in New Issue
Block a user