[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Wed, 04 Jan 2012 22:19:12 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 04 Jan 2012 17:19:26 -0500
In-reply-to: <045.6218e4829e180efa2a1405fe33b8adff@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bug tracker status mails <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <045.6218e4829e180efa2a1405fe33b8adff@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
------------------------+---------------------------------------------------
 Reporter:  nickm       |          Owner:                    
     Type:  defect      |         Status:  new               
 Priority:  critical    |      Milestone:  Tor: 0.2.1.x-final
Component:  Tor Client  |        Version:                    
 Keywords:              |         Parent:                    
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by nickm):

 Have a look at branch "bug4822_021" in my public repo.

 I considered an approach where we would allow any handshake, but disallow
 any SSL3 ciphers so that the handshake would fail if the ssl3 handshake
 were actually tried.  Problem was, openssl allows tls1 ciphers with the
 ssl3 handshake, so that wouldn't have worked.  (Thanks to asn for testing
 that.)

 This needs review and a changes file.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #4744 [Tor Bridge]: GFW probes based on Tor's SSL cipher list (?)
Next by Author: Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Previous by thread: Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Next by thread: Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Index(es):
- Author
- Thread