summaryrefslogtreecommitdiff
path: root/src/common
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2018-09-07 08:57:14 -0400
committerNick Mathewson <nickm@torproject.org>2018-09-07 09:15:06 -0400
commit2ec88a2a6ddef1b916425438b9648879a977b120 (patch)
tree1d43e91f803355e7612e1461dd2b653bfc2c7410 /src/common
parent9fcb3ef787285fcb116d07fc2ff563e80a0c8a0e (diff)
downloadtor-2ec88a2a6ddef1b916425438b9648879a977b120.tar.gz
tor-2ec88a2a6ddef1b916425438b9648879a977b120.zip
Tell openssl to build its TLS contexts with security level 1
Fixes bug 27344, where we'd break compatibility with old tors by rejecting RSA1024 and DH1024.
Diffstat (limited to 'src/common')
-rw-r--r--src/common/tortls.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 4cbe8b10e5..1f2fe1ce18 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1130,6 +1130,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
goto error;
#endif
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+ /* Level 1 re-enables RSA1024 and DH1024 for compatibility with old tors */
+ SSL_CTX_set_security_level(result->ctx, 1);
+#endif
+
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
@@ -2555,4 +2560,3 @@ evaluate_ecgroup_for_tls(const char *ecgroup)
return ret;
}
-