[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/maint-0.2.4] Elevate server TLS cipher preferences over client
commit 0b319de60f7c80ab5c37c57af182f4f710ceb5b7
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Thu Apr 17 10:23:18 2014 -0400
Elevate server TLS cipher preferences over client
The server cipher list is (thanks to #11513) chosen systematically to
put the best choices for Tor first. The client cipher list is chosen
to resemble a browser. So let's set SSL_OP_CIPHER_SERVER_PREFERENCE
to have the servers pick according to their own preference order.
---
changes/ticket11528 | 6 ++++++
src/common/tortls.c | 4 ++++
2 files changed, 10 insertions(+)
diff --git a/changes/ticket11528 b/changes/ticket11528
new file mode 100644
index 0000000..15daad9
--- /dev/null
+++ b/changes/ticket11528
@@ -0,0 +1,6 @@
+ o Minor features:
+ - Servers now trust themselves to have a better view than clients of
+ which TLS ciphersuites to choose. (Thanks to #11513, the server
+ list is now well-considered, whereas the client list has been
+ chosen mainly for anti-fingerprinting purposes.) Resolves ticket
+ 11528.
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 886ee0d..8eb524e 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1261,6 +1261,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
goto error;
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
+ /* Prefer the server's ordering of ciphers: the client's ordering has
+ * historically been chosen for fingerprinting resistance. */
+ SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+
/* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to
* workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
* June 2012), wherein renegotiating while using one of these TLS
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits