On Thu, 28 Jan 2016 10:35:21 -0500 Nick Mathewson <nickm@xxxxxxxxxxxxxx> wrote: > Somebody always asks whether Tor is affected by each OpenSSL advisory, > so I'm sending this mail in order to get a URL to send people to. :) > > Here are today's advisories: > https://mta.openssl.org/pipermail/openssl-announce/2016-January/000061.html > > With respect to the first ( "DH small subgroups (CVE-2016-0701)" ), > Tor is not affected because we set the SSL_OP_SINGLE_DH_USE() option. > We started setting this option back in Tor 0.1.1.9-alpha, back in > 2005. It's also worth noting that newer (0.2.7.x) versions of Tor should not be doing DHE except when talking to old versions of Tor, linked against old versions of OpenSSL as ECDH is both mandatory and preferred in the current stable series. All versions of OpenSSL that predate support for ECC have been EOLed and no longer receive security fixes, so if your system is using OpenSSL 0.9.8 (or 1.0.0 for that matter though it has ECC), you are strongly encouraged to upgrade to something that is being maintained. Regards, -- Yawning Angel
Attachment:
pgpkRD2MPsVl6.pgp
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev