diff options
author | Nick Mathewson <nickm@torproject.org> | 2014-10-19 14:36:10 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2014-10-19 14:36:10 -0400 |
commit | d1c6b2cf11a48db9a79a619547fdc6454b1ce271 (patch) | |
tree | 72cf2d0b4454cb02db30ec1c427099ab1d0b78de | |
parent | f48def202c897758e3f1c65ae0773d71e5094158 (diff) | |
parent | 943fd4a252ad252d7d594622d5988634ddf8f1fc (diff) | |
download | tor-d1c6b2cf11a48db9a79a619547fdc6454b1ce271.tar.gz tor-d1c6b2cf11a48db9a79a619547fdc6454b1ce271.zip |
Merge remote-tracking branch 'origin/maint-0.2.4' into release-0.2.4
-rw-r--r-- | changes/disable_sslv3 | 4 | ||||
-rw-r--r-- | src/common/tortls.c | 4 |
2 files changed, 7 insertions, 1 deletions
diff --git a/changes/disable_sslv3 b/changes/disable_sslv3 new file mode 100644 index 0000000000..bb4c2df7a2 --- /dev/null +++ b/changes/disable_sslv3 @@ -0,0 +1,4 @@ + o Major security fixes: + - Disable support for SSLv3. All versions of OpenSSL in use with + Tor today support TLS 1.0 or later, so we can safely turn off + support for this old (and insecure) protocol. Fixes bug 13426. diff --git a/src/common/tortls.c b/src/common/tortls.c index c13b12fd40..4222f6dbff 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1272,10 +1272,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, goto error; #endif - /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */ + /* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */ if (!(result->ctx = SSL_CTX_new(SSLv23_method()))) goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3); /* Prefer the server's ordering of ciphers: the client's ordering has * historically been chosen for fingerprinting resistance. */ @@ -1314,6 +1315,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, } #endif + /* XXX This block is now obsolete. */ if ( #ifdef DISABLE_SSL3_HANDSHAKE 1 || |