mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 21:23:58 +01:00
df6bd478ee
This is a feature removal: we no longer fake any ciphersuite other than the not-really-standard SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff). This change will let servers rely on our actually supporting what we claim to support, and thereby let Tor migrate to better TLS ciphersuites. As a drawback, Tor instances that use old openssl versions and openssl builds with ciphers disabled will no longer give the "firefox" cipher list.
13 lines
666 B
Plaintext
13 lines
666 B
Plaintext
o Removed features:
|
|
|
|
- Remove support for clients claiming to support any standard
|
|
ciphersuites that we can actually provide. (As of modern
|
|
OpenSSL versions, it's not necessary to fake any standard
|
|
ciphersuite, and doing so prevents us from using better
|
|
ciphersuites in the future, since servers can't know whether an
|
|
advertised ciphersuite is really supported or not.) Some
|
|
hosts--notably, ones with very old versions of OpenSSL or where
|
|
OpenSSL has been built with ECC disabled-- will stand out
|
|
because of this change; TBB users should not be affected.
|
|
This implements the client side of proposal 198.
|