mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Merge remote-tracking branch 'origin/maint-0.2.2' into maint-0.2.3
This commit is contained in:
commit
a0e9dc9f55
9
changes/bug7139
Normal file
9
changes/bug7139
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
o Major bugfixes (security):
|
||||||
|
|
||||||
|
- Disable TLS session tickets. OpenSSL's implementation were giving
|
||||||
|
our TLS session keys the lifetime of our TLS context objects, when
|
||||||
|
perfect forward secrecy would want us to discard anything that
|
||||||
|
could decrypt a link connection as soon as the link connection was
|
||||||
|
closed. Fixes bug 7139; bugfix on all versions of Tor linked
|
||||||
|
against OpenSSL 1.0.0 or later. Found by "nextgens".
|
||||||
|
|
@ -1195,6 +1195,14 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
|
|||||||
#ifdef SSL_OP_NO_TLSv1_1
|
#ifdef SSL_OP_NO_TLSv1_1
|
||||||
SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
|
SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
|
||||||
#endif
|
#endif
|
||||||
|
/* Disable TLS tickets if they're supported. We never want to use them;
|
||||||
|
* using them can make our perfect forward secrecy a little worse, *and*
|
||||||
|
* create an opportunity to fingerprint us (since it's unusual to use them
|
||||||
|
* with TLS sessions turned off).
|
||||||
|
*/
|
||||||
|
#ifdef SSL_OP_NO_TICKET
|
||||||
|
SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
|
||||||
|
#endif
|
||||||
|
|
||||||
if (
|
if (
|
||||||
#ifdef DISABLE_SSL3_HANDSHAKE
|
#ifdef DISABLE_SSL3_HANDSHAKE
|
||||||
|
Loading…
Reference in New Issue
Block a user