Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4

This commit is contained in:
Nick Mathewson 2014-10-16 09:08:32 -04:00
commit 943fd4a252
2 changed files with 7 additions and 1 deletions

4
changes/disable_sslv3 Normal file
View File

@ -0,0 +1,4 @@
o Major security fixes:
- Disable support for SSLv3. All versions of OpenSSL in use with
Tor today support TLS 1.0 or later, so we can safely turn off
support for this old (and insecure) protocol. Fixes bug 13426.

View File

@ -1272,10 +1272,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
goto error; goto error;
#endif #endif
/* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */ /* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
if (!(result->ctx = SSL_CTX_new(SSLv23_method()))) if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
goto error; goto error;
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
/* Prefer the server's ordering of ciphers: the client's ordering has /* Prefer the server's ordering of ciphers: the client's ordering has
* historically been chosen for fingerprinting resistance. */ * historically been chosen for fingerprinting resistance. */
@ -1314,6 +1315,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
} }
#endif #endif
/* XXX This block is now obsolete. */
if ( if (
#ifdef DISABLE_SSL3_HANDSHAKE #ifdef DISABLE_SSL3_HANDSHAKE
1 || 1 ||