diff options
| author | Nick Mathewson <nickm@torproject.org> | 2018-09-07 09:15:56 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2018-09-07 09:15:56 -0400 |
| commit | ee6d8bcf71b0cf9eb7acc2987a59c78ffc172303 (patch) | |
| tree | 049720dc6df4aaaf9d6e36480bb0f23655d55c0f | |
| parent | 291876be36d70e892d8fb5e50509379e69485a02 (diff) | |
| parent | 8849b2ca3c3943e7d2f109b8e56179be82092a6e (diff) | |
| download | tor-ee6d8bcf71b0cf9eb7acc2987a59c78ffc172303.tar.gz tor-ee6d8bcf71b0cf9eb7acc2987a59c78ffc172303.zip | |
Merge branch 'maint-0.3.4'
| -rw-r--r-- | changes/bug27344 | 4 | ||||
| -rw-r--r-- | configure.ac | 1 | ||||
| -rw-r--r-- | src/lib/tls/tortls_openssl.c | 6 |
3 files changed, 11 insertions, 0 deletions
diff --git a/changes/bug27344 b/changes/bug27344 new file mode 100644 index 0000000000..9f66855586 --- /dev/null +++ b/changes/bug27344 @@ -0,0 +1,4 @@ + o Minor features (compatibility): + - Tell OpenSSL to maintain backward compatibility with previous + RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these ciphers + are disabled by default. Closes ticket 27344. diff --git a/configure.ac b/configure.ac index 32a0750e74..643068724e 100644 --- a/configure.ac +++ b/configure.ac @@ -952,6 +952,7 @@ AC_CHECK_FUNCS([ \ SSL_get_client_ciphers \ SSL_get_client_random \ SSL_CIPHER_find \ + SSL_CTX_set_security_level \ TLS_method ]) diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c index 2a022b8531..dc6c0bee9c 100644 --- a/src/lib/tls/tortls_openssl.c +++ b/src/lib/tls/tortls_openssl.c @@ -548,6 +548,12 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, if (!(result->ctx = SSL_CTX_new(SSLv23_method()))) goto error; #endif /* defined(HAVE_TLS_METHOD) */ + +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL + /* Level 1 re-enables RSA1024 and DH1024 for compatibility with old tors */ + SSL_CTX_set_security_level(result->ctx, 1); +#endif + SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3); |