sarah
/
tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'origin/maint-0.2.4' into release-0.2.4

This commit is contained in:
Nick Mathewson 2014-10-19 14:36:10 -04:00
parent f48def202c 943fd4a252
commit d1c6b2cf11
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changes/disable_sslv3 Normal file
View File

@ -0,0 +1,4 @@
o Major security fixes:
- Disable support for SSLv3. All versions of OpenSSL in use with
Tor today support TLS 1.0 or later, so we can safely turn off
support for this old (and insecure) protocol. Fixes bug 13426.

4
src/common/tortls.c
View File

@ -1272,10 +1272,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
goto error;
#endif
/* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
/* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
goto error;
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
/* Prefer the server's ordering of ciphers: the client's ordering has
* historically been chosen for fingerprinting resistance. */
@ -1314,6 +1315,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
}
#endif
/* XXX This block is now obsolete. */
if (
#ifdef DISABLE_SSL3_HANDSHAKE
1 ||