diff options
| author | Nick Mathewson <nickm@torproject.org> | 2016-09-05 14:09:14 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2016-09-05 14:09:14 -0400 |
| commit | c2d1356739992e1df16e2f0fce6cedb5d4396323 (patch) | |
| tree | 20b6c9bd33b3b1c30ed498bc99d02fcfac6ef67a | |
| parent | 6abce601f22789aa4bd5fdf227f9e4ba07406b1c (diff) | |
| download | tor-c2d1356739992e1df16e2f0fce6cedb5d4396323.tar.gz tor-c2d1356739992e1df16e2f0fce6cedb5d4396323.zip | |
Change servers to never pick 3DES.
Closes ticket 19998.
| -rw-r--r-- | changes/bug19998 | 6 | ||||
| -rw-r--r-- | src/common/tortls.c | 11 |
2 files changed, 9 insertions, 8 deletions
diff --git a/changes/bug19998 b/changes/bug19998 new file mode 100644 index 0000000000..d01589da03 --- /dev/null +++ b/changes/bug19998 @@ -0,0 +1,6 @@ + o Minor features (security, TLS): + - Servers no longer support clients that do not provide AES + ciphersuites. (3DES is no longer considered an acceptable + cipher.) We believe that no such clients currently exist, + since we have required OpenSSL 0.9.7 or later since 2009. + Closes ticket 19998. diff --git a/src/common/tortls.c b/src/common/tortls.c index 23889be259..cf3c8ab548 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -552,8 +552,7 @@ MOCK_IMPL(STATIC X509 *, * claiming extra unsupported ciphers in order to avoid fingerprinting. */ #define SERVER_CIPHER_LIST \ (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \ - TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \ - SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) + TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) /** List of ciphers that servers should select from when we actually have * our choice of what cipher to use. */ @@ -593,12 +592,8 @@ static const char UNRESTRICTED_SERVER_CIPHER_LIST[] = /* Required */ TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" /* Required */ - TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" -#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA - TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":" -#endif - /* Required */ - SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA; + TLS1_TXT_DHE_RSA_WITH_AES_128_SHA + ; /* Note: to set up your own private testing network with link crypto * disabled, set your Tors' cipher list to |