[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Mon, 09 Jan 2012 21:13:37 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 09 Jan 2012 16:13:53 -0500
In-reply-to: <045.6218e4829e180efa2a1405fe33b8adff@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bug tracker status mails <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <045.6218e4829e180efa2a1405fe33b8adff@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
---------------------------+------------------------------------------------
    Reporter:  nickm       |       Owner:                    
        Type:  defect      |      Status:  closed            
    Priority:  critical    |   Milestone:  Tor: 0.2.1.x-final
   Component:  Tor Client  |     Version:                    
  Resolution:  fixed       |    Keywords:                    
      Parent:              |      Points:                    
Actualpoints:              |  
---------------------------+------------------------------------------------
Changes (by nickm):

  * status:  reopened => closed
  * resolution:  => fixed


Comment:

 Okay, so if I understand correctly, wanoskarnet is saying that our reading
 of the TLSv1_method() documentation and the SSLv23_method() documentation
 is wrong: that a TLSv1_method() client can connect perfectly well to a
 SSLv23_method() server, and vice versa.

 I'm attaching a quick&dirty test program to demonstrate this (using some
 code from libevent and some from the openssl docs).

 This doesn't mean that we need any changes in the code, except for fixing
 the comment to be correct.  I'll do that after I attach the demo code.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822#comment:36>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #4881 [Tor Relay]: Relative paths for auth cookie
Next by Author: Re: [tor-bugs] #4779 [Tor Relay]: AES broken since 0.2.3.9-alpha on CentOS 6
Previous by thread: Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Next by thread: Re: [tor-bugs] #4744 [Tor Bridge]: GFW probes based on Tor's SSL cipher list (?)
Index(es):
- Author
- Thread