nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-11 05:33:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'public/ticket11528_024'

Browse Source
This commit is contained in:
Nick Mathewson 2014-04-17 12:17:14 -04:00
commit eb896d5e6f
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
changes/ticket11528 Normal file
View File

@ -0,0 +1,6 @@
o Minor features:
- Servers now trust themselves to have a better view than clients of
which TLS ciphersuites to choose. (Thanks to #11513, the server
list is now well-considered, whereas the client list has been
chosen mainly for anti-fingerprinting purposes.) Resolves ticket
11528.

4
src/common/tortls.c
View File

@ -1250,6 +1250,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
goto error; goto error;
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
/* Prefer the server's ordering of ciphers: the client's ordering has
* historically been chosen for fingerprinting resistance. */
SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
/* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to
* workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
* June 2012), wherein renegotiating while using one of these TLS * June 2012), wherein renegotiating while using one of these TLS