diff options
| author | Nick Mathewson <nickm@torproject.org> | 2012-06-04 11:36:33 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2012-06-04 11:36:33 -0400 |
| commit | 329e1c65d3c73ad7b3b4cdaa870dd04fd7fb01b7 (patch) | |
| tree | e2c6444c3b56f2c944bdd22fab548acf67fc880a /src | |
| parent | 75b72bf62122c74f4c0c193e9364928aecdba695 (diff) | |
| parent | 6d85a796539424882f878ccac5ae4640a6fbb561 (diff) | |
| download | tor-329e1c65d3c73ad7b3b4cdaa870dd04fd7fb01b7.tar.gz tor-329e1c65d3c73ad7b3b4cdaa870dd04fd7fb01b7.zip | |
Merge remote-tracking branch 'origin/maint-0.2.2'
Diffstat (limited to 'src')
| -rw-r--r-- | src/common/tortls.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index 1120f3e8be..cc49310ba9 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1172,6 +1172,21 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); + /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to + * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 + * June 2012), wherein renegotiating while using one of these TLS + * protocols will cause the client to send a TLS 1.0 ServerHello + * rather than a ServerHello written with the appropriate protocol + * version. Once some version of OpenSSL does TLS1.1 and TLS1.2 + * renegotiation properly, we can turn them back on when built with + * that version. */ +#ifdef SSL_OP_NO_TLSv1_2 + SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2); +#endif +#ifdef SSL_OP_NO_TLSv1_1 + SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1); +#endif + if ( #ifdef DISABLE_SSL3_HANDSHAKE 1 || |