diff options
author | Nick Mathewson <nickm@torproject.org> | 2016-09-13 08:54:43 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2016-09-13 08:54:43 -0400 |
commit | 4b182dfc237ba4457b654a0dbc124f721024dab2 (patch) | |
tree | a78606d3d62be8285f17e107df324bd98d81a2d6 | |
parent | c897328feea549a391669c3fc93dc220d27e387c (diff) | |
parent | c2d1356739992e1df16e2f0fce6cedb5d4396323 (diff) | |
download | tor-4b182dfc237ba4457b654a0dbc124f721024dab2.tar.gz tor-4b182dfc237ba4457b654a0dbc124f721024dab2.zip |
Merge remote-tracking branch 'public/ticket19998'
-rw-r--r-- | changes/bug19998 | 6 | ||||
-rw-r--r-- | src/common/tortls.c | 11 |
2 files changed, 9 insertions, 8 deletions
diff --git a/changes/bug19998 b/changes/bug19998 new file mode 100644 index 0000000000..d01589da03 --- /dev/null +++ b/changes/bug19998 @@ -0,0 +1,6 @@ + o Minor features (security, TLS): + - Servers no longer support clients that do not provide AES + ciphersuites. (3DES is no longer considered an acceptable + cipher.) We believe that no such clients currently exist, + since we have required OpenSSL 0.9.7 or later since 2009. + Closes ticket 19998. diff --git a/src/common/tortls.c b/src/common/tortls.c index 23889be259..cf3c8ab548 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -552,8 +552,7 @@ MOCK_IMPL(STATIC X509 *, * claiming extra unsupported ciphers in order to avoid fingerprinting. */ #define SERVER_CIPHER_LIST \ (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \ - TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \ - SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) + TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) /** List of ciphers that servers should select from when we actually have * our choice of what cipher to use. */ @@ -593,12 +592,8 @@ static const char UNRESTRICTED_SERVER_CIPHER_LIST[] = /* Required */ TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" /* Required */ - TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" -#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA - TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":" -#endif - /* Required */ - SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA; + TLS1_TXT_DHE_RSA_WITH_AES_128_SHA + ; /* Note: to set up your own private testing network with link crypto * disabled, set your Tors' cipher list to |