Merge branch 'no_sslv3_023' into maint-0.2.3

This commit is contained in:
Nick Mathewson 2014-10-16 09:08:09 -04:00
commit c1c83eb376
2 changed files with 7 additions and 1 deletions

4
changes/disable_sslv3 Normal file
View File

@ -0,0 +1,4 @@
o Major security fixes:
- Disable support for SSLv3. All versions of OpenSSL in use with
Tor today support TLS 1.0 or later, so we can safely turn off
support for this old (and insecure) protocol. Fixes bug 13426.

View File

@ -1176,10 +1176,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
goto error;
#endif
/* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
/* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
goto error;
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
/* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to
* workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
@ -1204,6 +1205,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
#endif
/* XXX This block is now obsolete. */
if (
#ifdef DISABLE_SSL3_HANDSHAKE
1 ||