NSS: disable TLS1.2 SHA-384 ciphersuites.

In current NSS versions, these ciphersuites don't work with SSL_ExportKeyingMaterial(), which was causing relays to fail when they tried to negotiate the v3 link protocol authentication. Fixes bug 29241; bugfix on 0.4.0.1-alpha.
author: Nick Mathewson <nickm@torproject.org> 2019-03-29 13:38:48 -0400
committer: teor <teor@torproject.org> 2019-04-06 11:06:34 +1000
commit: 5cb94cbf9d89804ea37a2f1e68d354a86edb223e (patch)
tree: 68a136432f97025a6bee3fd382bedfc66b460fec /changes/bug29241
parent: 680fd3f8fb7157432398a3552ee9c98c72bd7397 (diff)
download: tor-5cb94cbf9d89804ea37a2f1e68d354a86edb223e.tar.gz
tor-5cb94cbf9d89804ea37a2f1e68d354a86edb223e.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/changes/bug29241 b/changes/bug29241
new file mode 100644
index 0000000000..13951d1162
--- /dev/null
+++ b/changes/bug29241
@@ -0,0 +1,6 @@
+  o Major bugfixes (NSS, relay):
+    - When running with NSS, disable TLS 1.2 ciphersuites that use SHA384
+      for their PRF. Due to an NSS bug, the TLS key exporters for these
+      ciphersuites don't work -- which caused relays to fail to handshake
+      with one another when these ciphersuites were enabled.
+      Fixes bug 29241; bugfix on 0.4.0.1-alpha.
author	Nick Mathewson <nickm@torproject.org>	2019-03-29 13:38:48 -0400
committer	teor <teor@torproject.org>	2019-04-06 11:06:34 +1000
commit	5cb94cbf9d89804ea37a2f1e68d354a86edb223e (patch)
tree	68a136432f97025a6bee3fd382bedfc66b460fec /changes/bug29241
parent	680fd3f8fb7157432398a3552ee9c98c72bd7397 (diff)
download	tor-5cb94cbf9d89804ea37a2f1e68d354a86edb223e.tar.gz tor-5cb94cbf9d89804ea37a2f1e68d354a86edb223e.zip