mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 21:23:58 +01:00
27 lines
1.3 KiB
Plaintext
27 lines
1.3 KiB
Plaintext
o Major features:
|
|
|
|
- Servers can now enable the ECDHE TLS ciphersuites when available
|
|
and appropriate. These ciphersuites let us negotiate forward-
|
|
secure TLS secret keys more safely and more efficiently than with
|
|
our previous use of Diffie Hellman modulo a 1024-bit prime.
|
|
By default, public servers prefer the (faster) P224 group, and
|
|
bridges prefer the (more common) P256 group; you can override this
|
|
with the TLSECGroup option.
|
|
|
|
Enabling these ciphers was a little tricky, since for a long
|
|
time, clients had been claiming to support them without
|
|
actually doing so, in order to foil fingerprinting. But with
|
|
the client-side implementation of proposal 198 in
|
|
0.2.3.17-beta, clients can now match the ciphers from recent
|
|
firefox versions *and* list the ciphers they actually mean, so
|
|
servers can believe such clients when they advertise ECDHE
|
|
support in their TLS ClientHello messages.
|
|
|
|
This feature requires clients running 0.2.3.17-beta or later,
|
|
and requires both sides to be running OpenSSL 1.0.0 or later
|
|
with ECC support. OpenSSL 1.0.1, with the compile-time option
|
|
"enable-ec_nistp_64_gcc_128", is highly recommended.
|
|
Implements the server side of proposal 198; closes ticket
|
|
7200.
|
|
|