mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4
This commit is contained in:
commit
943fd4a252
4
changes/disable_sslv3
Normal file
4
changes/disable_sslv3
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
o Major security fixes:
|
||||||
|
- Disable support for SSLv3. All versions of OpenSSL in use with
|
||||||
|
Tor today support TLS 1.0 or later, so we can safely turn off
|
||||||
|
support for this old (and insecure) protocol. Fixes bug 13426.
|
@ -1272,10 +1272,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
|
|||||||
goto error;
|
goto error;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
|
/* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
|
||||||
if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
|
if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
|
||||||
goto error;
|
goto error;
|
||||||
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
|
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
|
||||||
|
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
|
||||||
|
|
||||||
/* Prefer the server's ordering of ciphers: the client's ordering has
|
/* Prefer the server's ordering of ciphers: the client's ordering has
|
||||||
* historically been chosen for fingerprinting resistance. */
|
* historically been chosen for fingerprinting resistance. */
|
||||||
@ -1314,6 +1315,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* XXX This block is now obsolete. */
|
||||||
if (
|
if (
|
||||||
#ifdef DISABLE_SSL3_HANDSHAKE
|
#ifdef DISABLE_SSL3_HANDSHAKE
|
||||||
1 ||
|
1 ||
|
||||||
|
Loading…
Reference in New Issue
Block a user