Merge branch 'maint-0.3.2' into release-0.3.2
This commit is contained in:
Nick Mathewson
commit
cb3c1f2e54
|
|
@ -0,0 +1,7 @@
|
|||
o Minor features (compatibility, OpenSSL):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL
|
||||
1.1.1, since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
|
|
@ -2,8 +2,27 @@
|
|||
* advertise. Before including it, you should define the CIPHER and XCIPHER
|
||||
* macros.
|
||||
*
|
||||
* This file was automatically generated by get_mozilla_ciphers.py.
|
||||
* This file was automatically generated by get_mozilla_ciphers.py;
|
||||
* TLSv1.3 ciphers were added manually.
|
||||
*/
|
||||
|
||||
/* Here are the TLS1.3 ciphers. Note that we don't have XCIPHER instances
|
||||
* here, since we don't want to ever fake them.
|
||||
*/
|
||||
#ifdef TLS1_3_TXT_AES_128_GCM_SHA256
|
||||
CIPHER(0x1301, TLS1_3_TXT_AES_128_GCM_SHA256)
|
||||
#endif
|
||||
#ifdef TLS1_3_TXT_AES_256_GCM_SHA384
|
||||
CIPHER(0x1302, TLS1_3_TXT_AES_256_GCM_SHA384)
|
||||
#endif
|
||||
#ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256
|
||||
CIPHER(0x1303, TLS1_3_TXT_CHACHA20_POLY1305_SHA256)
|
||||
#endif
|
||||
#ifdef TLS1_3_TXT_AES_128_CCM_SHA256
|
||||
CIPHER(0x1304, TLS1_3_TXT_AES_128_CCM_SHA256)
|
||||
#endif
|
||||
|
||||
/* Here's the machine-generated list. */
|
||||
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
|
||||
#else
|
||||
|
|
|
|||
|
|
@ -570,13 +570,35 @@ tor_tls_create_certificate,(crypto_pk_t *rsa,
|
|||
|
||||
/** List of ciphers that servers should select from when the client might be
|
||||
* claiming extra unsupported ciphers in order to avoid fingerprinting. */
|
||||
#define SERVER_CIPHER_LIST \
|
||||
(TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
|
||||
static const char SERVER_CIPHER_LIST[] =
|
||||
#ifdef TLS1_3_TXT_AES_128_GCM_SHA256
|
||||
/* This one can never actually get selected, since if the client lists it,
|
||||
* we will assume that the client is honest, and not use this list.
|
||||
* Nonetheless we list it if it's available, so that the server doesn't
|
||||
* conclude that it has no valid ciphers if it's running with TLS1.3.
|
||||
*/
|
||||
TLS1_3_TXT_AES_128_GCM_SHA256 ":"
|
||||
#endif
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA;
|
||||
|
||||
/** List of ciphers that servers should select from when we actually have
|
||||
* our choice of what cipher to use. */
|
||||
static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
|
||||
/* Here are the TLS 1.3 ciphers we like, in the order we prefer. */
|
||||
#ifdef TLS1_3_TXT_AES_256_GCM_SHA384
|
||||
TLS1_3_TXT_AES_256_GCM_SHA384 ":"
|
||||
#endif
|
||||
#ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256
|
||||
TLS1_3_TXT_CHACHA20_POLY1305_SHA256 ":"
|
||||
#endif
|
||||
#ifdef TLS1_3_TXT_AES_128_GCM_SHA256
|
||||
TLS1_3_TXT_AES_128_GCM_SHA256 ":"
|
||||
#endif
|
||||
#ifdef TLS1_3_TXT_AES_128_CCM_SHA256
|
||||
TLS1_3_TXT_AES_128_CCM_SHA256 ":"
|
||||
#endif
|
||||
|
||||
/* This list is autogenerated with the gen_server_ciphers.py script;
|
||||
* don't hand-edit it. */
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
|
|
|
|||
Loading…
Reference in New Issue