Merge branch 'maint-0.3.4'

2024-11-10 13:13:44 +01:00 · 2018-09-07 09:15:56 -04:00 · 2018-09-07 09:15:56 -04:00 · ee6d8bcf71
commit ee6d8bcf71
parent 291876be36 8849b2ca3c
3 changed files with 11 additions and 0 deletions
--- a/changes/bug27344
+++ b/changes/bug27344
@ -0,0 +1,4 @@
+  o Minor features (compatibility):
+    - Tell OpenSSL to maintain backward compatibility with previous
+      RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these ciphers
+      are disabled by default. Closes ticket 27344.
--- a/configure.ac
+++ b/configure.ac
@ -952,6 +952,7 @@ AC_CHECK_FUNCS([ \
                SSL_get_client_ciphers \
                SSL_get_client_random \
 		SSL_CIPHER_find \
+                SSL_CTX_set_security_level \
 		TLS_method
 	       ])

--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@ -548,6 +548,12 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
  if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
    goto error;
 #endif /* defined(HAVE_TLS_METHOD) */
+
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+  /* Level 1 re-enables RSA1024 and DH1024 for compatibility with old tors */
+  SSL_CTX_set_security_level(result->ctx, 1);
+#endif
+
  SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
  SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);