Merge remote-tracking branch 'public/bug6033' into maint-0.2.2

2024-11-10 21:23:58 +01:00 · 2012-06-04 11:33:27 -04:00 · 2012-06-04 11:33:27 -04:00 · 6d85a79653
commit 6d85a79653
parent b7e863c073 841a8d551a
2 changed files with 21 additions and 0 deletions
--- a/changes/bug6033
+++ b/changes/bug6033
@ -0,0 +1,6 @@
+  o Major bugfixes:
+    - Work around a bug in OpenSSL that broke renegotiation with
+      TLS 1.1 and TLS 1.2.  Without this workaround, all attempts
+      to speak the v2 Tor network protocol when both sides were
+      using OpenSSL 1.0.1 would fail.  Fix for bug 6033, which is
+      not a bug in Tor.
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@ -790,6 +790,21 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime,
    goto error;
  SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);

+  /* Disable TLS1.1 and TLS1.2 if they exist.  We need to do this to
+   * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
+   * June 2012), wherein renegotiating while using one of these TLS
+   * protocols will cause the client to send a TLS 1.0 ServerHello
+   * rather than a ServerHello written with the appropriate protocol
+   * version.  Once some version of OpenSSL does TLS1.1 and TLS1.2
+   * renegotiation properly, we can turn them back on when built with
+   * that version. */
+#ifdef SSL_OP_NO_TLSv1_2
+  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
+#endif
+#ifdef SSL_OP_NO_TLSv1_1
+  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
+#endif
+
  if (
 #ifdef DISABLE_SSL3_HANDSHAKE
      1 ||