Only disable TLS tickets when being/acting as a server.

Fix for bug 7189.
This commit is contained in:
Nick Mathewson 2012-10-24 20:13:25 -04:00
parent b99457d429
commit 62a49c0cc8
2 changed files with 10 additions and 2 deletions

View File

@ -0,0 +1,5 @@
o Minor bugfixes:
- Only disable TLS session ticket support when running as a TLS
server. It's important for clients to remain hard to distinguish
from regular firefox connections. Fixes bug 7189; bugfix on
Tor 0.2.3.23-rc.

View File

@ -1198,10 +1198,13 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
/* Disable TLS tickets if they're supported. We never want to use them;
* using them can make our perfect forward secrecy a little worse, *and*
* create an opportunity to fingerprint us (since it's unusual to use them
* with TLS sessions turned off).
* with TLS sessions turned off). Clients need to advertise support for
* them, though to avoid a TLS distinguishability vector.
*/
#ifdef SSL_OP_NO_TICKET
if (! is_client) {
SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
}
#endif
if (