diff options
| author | Nick Mathewson <nickm@torproject.org> | 2012-05-15 15:32:18 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2012-06-13 12:06:28 -0400 |
| commit | df6bd478eeb8164b99156bf9528e1b058fe491fd (patch) | |
| tree | b43d0fd5a2e2a2d8cf0fd1d704cc99621c559c02 /changes | |
| parent | 89c16890095d63cc6f56a378108efc3d3f063204 (diff) | |
| download | tor-df6bd478eeb8164b99156bf9528e1b058fe491fd.tar.gz tor-df6bd478eeb8164b99156bf9528e1b058fe491fd.zip | |
Implement the client side of proposal 198
This is a feature removal: we no longer fake any ciphersuite other
than the not-really-standard SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
(0xfeff). This change will let servers rely on our actually
supporting what we claim to support, and thereby let Tor migrate to
better TLS ciphersuites.
As a drawback, Tor instances that use old openssl versions and
openssl builds with ciphers disabled will no longer give the
"firefox" cipher list.
Diffstat (limited to 'changes')
| -rw-r--r-- | changes/prop198 | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/changes/prop198 b/changes/prop198 new file mode 100644 index 0000000000..fd666864c3 --- /dev/null +++ b/changes/prop198 @@ -0,0 +1,12 @@ + o Removed features: + + - Remove support for clients claiming to support any standard + ciphersuites that we can actually provide. (As of modern + OpenSSL versions, it's not necessary to fake any standard + ciphersuite, and doing so prevents us from using better + ciphersuites in the future, since servers can't know whether an + advertised ciphersuite is really supported or not.) Some + hosts--notably, ones with very old versions of OpenSSL or where + OpenSSL has been built with ECC disabled-- will stand out + because of this change; TBB users should not be affected. + This implements the client side of proposal 198. |