Merge remote-tracking branch 'public/ticket11528_024'

2024-09-21 13:34:59 +02:00 · 2014-04-17 12:17:14 -04:00 · 2014-04-17 12:17:14 -04:00 · eb896d5e6f
commit eb896d5e6f
parent 9c3f7a6d35 0b319de60f
2 changed files with 10 additions and 0 deletions
--- a/changes/ticket11528
+++ b/changes/ticket11528
@ -0,0 +1,6 @@
+  o Minor features:
+    - Servers now trust themselves to have a better view than clients of
+      which TLS ciphersuites to choose. (Thanks to #11513, the server
+      list is now well-considered, whereas the client list has been
+      chosen mainly for anti-fingerprinting purposes.) Resolves ticket
+      11528.
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@ -1250,6 +1250,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
    goto error;
  SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);

+  /* Prefer the server's ordering of ciphers: the client's ordering has
+  * historically been chosen for fingerprinting resistance. */
+  SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+
  /* Disable TLS1.1 and TLS1.2 if they exist.  We need to do this to
   * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
   * June 2012), wherein renegotiating while using one of these TLS