[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/master] Only disable TLS tickets when being/acting as a server.
commit 62a49c0cc85037d3e79468961ff625ec5e8aad65
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Wed Oct 24 20:13:25 2012 -0400
Only disable TLS tickets when being/acting as a server.
Fix for bug 7189.
---
changes/bug7189_server_only | 5 +++++
src/common/tortls.c | 7 +++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/changes/bug7189_server_only b/changes/bug7189_server_only
new file mode 100644
index 0000000..6c24621
--- /dev/null
+++ b/changes/bug7189_server_only
@@ -0,0 +1,5 @@
+ o Minor bugfixes:
+ - Only disable TLS session ticket support when running as a TLS
+ server. It's important for clients to remain hard to distinguish
+ from regular firefox connections. Fixes bug 7189; bugfix on
+ Tor 0.2.3.23-rc.
diff --git a/src/common/tortls.c b/src/common/tortls.c
index bec2c71..12eac8d 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1198,10 +1198,13 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
/* Disable TLS tickets if they're supported. We never want to use them;
* using them can make our perfect forward secrecy a little worse, *and*
* create an opportunity to fingerprint us (since it's unusual to use them
- * with TLS sessions turned off).
+ * with TLS sessions turned off). Clients need to advertise support for
+ * them, though to avoid a TLS distinguishability vector.
*/
#ifdef SSL_OP_NO_TICKET
- SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
+ if (! is_client) {
+ SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
+ }
#endif
if (
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits