Let servers choose better ciphersuites when clients support them

This implements the server-side of proposal 198 by detecting when clients lack the magic list of ciphersuites that indicates that they're lying faking some ciphers they don't really have. When clients lack this list, we can choose any cipher that we'd actually like. The newly allowed ciphersuites are, currently, "All ECDHE-RSA ciphers that openssl supports, except for ECDHE-RSA-RC4". The code to detect the cipher list relies on on (ab)use of SSL_set_session_secret_cb.
author: Nick Mathewson <nickm@torproject.org> 2012-11-28 13:31:17 -0500
committer: Nick Mathewson <nickm@torproject.org> 2012-12-25 20:14:07 -0500
commit: 175b2678d7dd0ff8b00b597169e4a9a0d8e86f12 (patch)
tree: 3d7531b0316a389bee440521e608b7a9ffc72735 /src/common/tortls.h
parent: 63208aa1e53f5ffc3ecbe47402cc2736bbce6af0 (diff)
download: tor-175b2678d7dd0ff8b00b597169e4a9a0d8e86f12.tar.gz
tor-175b2678d7dd0ff8b00b597169e4a9a0d8e86f12.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/src/common/tortls.h b/src/common/tortls.h
index 7bc6c8e76b..8881827cef 100644
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -129,6 +129,7 @@ int tor_tls_cert_is_valid(int severity,
                           const tor_cert_t *cert,
                           const tor_cert_t *signing_cert,
                           int check_rsa_1024);
+const char *tor_tls_get_ciphersuite_name(tor_tls_t *tls);
 
 #endif
author	Nick Mathewson <nickm@torproject.org>	2012-11-28 13:31:17 -0500
committer	Nick Mathewson <nickm@torproject.org>	2012-12-25 20:14:07 -0500
commit	175b2678d7dd0ff8b00b597169e4a9a0d8e86f12 (patch)
tree	3d7531b0316a389bee440521e608b7a9ffc72735 /src/common/tortls.h
parent	63208aa1e53f5ffc3ecbe47402cc2736bbce6af0 (diff)
download	tor-175b2678d7dd0ff8b00b597169e4a9a0d8e86f12.tar.gz tor-175b2678d7dd0ff8b00b597169e4a9a0d8e86f12.zip