[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/master] Re-enable TLS 1.[12] when building with OpenSSL >= 1.0.1e

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [tor/master] Re-enable TLS 1.[12] when building with OpenSSL >= 1.0.1e
From: nickm@xxxxxxxxxxxxxx
Date: Wed, 25 Sep 2013 18:35:25 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 25 Sep 2013 14:35:40 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit ad763a336cb3655151383172bcfa658870ad8950
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date:   Tue Aug 13 23:43:39 2013 -0400

    Re-enable TLS 1.[12] when building with OpenSSL >= 1.0.1e
    
    To fix #6033, we disabled TLS 1.1 and 1.2.  Eventually, OpenSSL fixed
    the bug behind #6033.
    
    I've considered alternate implementations that do more testing to see
    if there's secretly an OpenSSL 1.0.1c or something that secretly has a
    backport of the OpenSSL 1.0.1e fix, and decided against it on the
    grounds of complexity.
---
 changes/bug6055     |    6 ++++++
 src/common/tortls.c |    3 +++
 2 files changed, 9 insertions(+)

diff --git a/changes/bug6055 b/changes/bug6055
new file mode 100644
index 0000000..0073007
--- /dev/null
+++ b/changes/bug6055
@@ -0,0 +1,6 @@
+  o Major enhancements:
+    - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later.
+      (OpenSSL before 1.0.1 didn't have TLS 1.1 or 1.2. OpenSSL from 1.0.1
+      through 1.0.1d had bugs that prevented renegotiation from working
+      with TLS 1.1 or 1.2, so we disabled them to solve bug 6033.) Fix for
+      issue #6055.
diff --git a/src/common/tortls.c b/src/common/tortls.c
index b7e5bc1..90ebb75 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1269,12 +1269,15 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
    * version.  Once some version of OpenSSL does TLS1.1 and TLS1.2
    * renegotiation properly, we can turn them back on when built with
    * that version. */
+#if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,1,'e')
 #ifdef SSL_OP_NO_TLSv1_2
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
 #endif
 #ifdef SSL_OP_NO_TLSv1_1
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
 #endif
+#endif
+
   /* Disable TLS tickets if they're supported.  We never want to use them;
    * using them can make our perfect forward secrecy a little worse, *and*
    * create an opportunity to fingerprint us (since it's unusual to use them



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [tor/master] Merge remote-tracking branch 'public/bug6055_v2_024'
Next by Author: [tor-commits] [githax/master] replace git:// with https:// in Howto.txt
Previous by thread: [tor-commits] [tor/master] Merge remote-tracking branch 'public/bug6055_v2_024'
Next by thread: [tor-commits] [flashproxy/master] Finish updating to newer shorewall6 syntax.
Index(es):
- Author
- Thread