From 2ec88a2a6ddef1b916425438b9648879a977b120 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 7 Sep 2018 08:57:14 -0400 Subject: Tell openssl to build its TLS contexts with security level 1 Fixes bug 27344, where we'd break compatibility with old tors by rejecting RSA1024 and DH1024. --- changes/bug27344 | 4 ++++ configure.ac | 1 + src/common/tortls.c | 6 +++++- 3 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 changes/bug27344 diff --git a/changes/bug27344 b/changes/bug27344 new file mode 100644 index 0000000000..9f66855586 --- /dev/null +++ b/changes/bug27344 @@ -0,0 +1,4 @@ + o Minor features (compatibility): + - Tell OpenSSL to maintain backward compatibility with previous + RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these ciphers + are disabled by default. Closes ticket 27344. diff --git a/configure.ac b/configure.ac index 76b3f423ae..5ac3579d70 100644 --- a/configure.ac +++ b/configure.ac @@ -678,6 +678,7 @@ AC_CHECK_FUNCS([ \ SSL_get_client_ciphers \ SSL_get_client_random \ SSL_CIPHER_find \ + SSL_CTX_set_security_level \ TLS_method ]) diff --git a/src/common/tortls.c b/src/common/tortls.c index 4cbe8b10e5..1f2fe1ce18 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1130,6 +1130,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, if (!(result->ctx = SSL_CTX_new(SSLv23_method()))) goto error; #endif +#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL + /* Level 1 re-enables RSA1024 and DH1024 for compatibility with old tors */ + SSL_CTX_set_security_level(result->ctx, 1); +#endif + SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3); @@ -2555,4 +2560,3 @@ evaluate_ecgroup_for_tls(const char *ecgroup) return ret; } - -- cgit v1.2.3-54-g00ecf