diff options
| -rw-r--r-- | changes/bug7189_server_only | 5 | ||||
| -rw-r--r-- | src/common/tortls.c | 8 |
2 files changed, 8 insertions, 5 deletions
diff --git a/changes/bug7189_server_only b/changes/bug7189_server_only index 6c2462141e..9ad5ad9ab9 100644 --- a/changes/bug7189_server_only +++ b/changes/bug7189_server_only @@ -1,5 +1,4 @@ o Minor bugfixes: - Only disable TLS session ticket support when running as a TLS - server. It's important for clients to remain hard to distinguish - from regular firefox connections. Fixes bug 7189; bugfix on - Tor 0.2.3.23-rc. + server. This keeps clients harder to distinguish from regular firefox + connections. Fixes bug 7189; bugfix on Tor 0.2.3.23-rc. diff --git a/src/common/tortls.c b/src/common/tortls.c index 3bb0581463..1b7b544f36 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1193,8 +1193,12 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, /* Disable TLS tickets if they're supported. We never want to use them; * using them can make our perfect forward secrecy a little worse, *and* * create an opportunity to fingerprint us (since it's unusual to use them - * with TLS sessions turned off). Clients need to advertise support for - * them, though to avoid a TLS distinguishability vector. + * with TLS sessions turned off). + * + * In 0.2.4, clients advertise support for them, though to avoid a TLS + * distinguishability vector. This can give us worse PFS, though, if we + * get a server that doesn't set SSL_OP_NO_TICKET. With luck, there will + * be few such servers by the time 0.2.4 is more stable. */ #ifdef SSL_OP_NO_TICKET if (! is_client) { |