[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] Minimum required ciphers for running Tor as both client and router.
Thanks Nick for the fast answer.
I went trough the official OpenSSL cipher docs but also found a nice
(probably outdated) list on the stackoverflow.
Ciphers:
no-idea -DOPENSSL_NO_IDEA
no-aes -DOPENSSL_NO_AES
no-camellia -DOPENSSL_NO_CAMELLIA
no-seed -DOPENSSL_NO_SEED
no-bf -DOPENSSL_NO_BF
no-cast -DOPENSSL_NO_CAST
no-des -DOPENSSL_NO_DES
no-rc2 -DOPENSSL_NO_RC2
no-rc4 -DOPENSSL_NO_RC4
no-rc5 -DOPENSSL_NO_RC5
no-md2 -DOPENSSL_NO_MD2
no-md4 -DOPENSSL_NO_MD4
no-md5 -DOPENSSL_NO_MD5
no-sha -DOPENSSL_NO_SHA
no-ripemd -DOPENSSL_NO_RIPEMD
no-mdc2 -DOPENSSL_NO_MDC2
no-rsa -DOPENSSL_NO_RSA
no-dsa -DOPENSSL_NO_DSA
no-dh -DOPENSSL_NO_DH
no-ec -DOPENSSL_NO_EC
no-ecdsa -DOPENSSL_NO_ECDSA
no-ecdh -DOPENSSL_NO_ECDH
Non-cipher functionality:
no-sock -DOPENSSL_NO_SOCK No socket code.
no-ssl2 -DOPENSSL_NO_SSL2 No SSLv2.
no-ssl3 -DOPENSSL_NO_SSL3 No SSLv3.
no-err -DOPENSSL_NO_ERR No error strings.
no-krb5 -DOPENSSL_NO_KRB5 No Kerberos v5.
no-engine -DOPENSSL_NO_ENGINE No dynamic engines.
no-hw -DOPENSSL_NO_HW No support for external hardware.
Not documented:
no-tlsext -DOPENSSL_NO_TLSEXT
no-cms -DOPENSSL_NO_CMS
no-jpake -DOPENSSL_NO_JPAKE
no-capieng -DOPENSSL_NO_CAPIENG
I recompiled OpenSSL with the following ciphers disabled:
no-krb5 no-ssl2 no-dso no-engines no-hw no-idea no-err \
no-mdc2 no-rc5 no-camellia no-seed no-des no-dsa no-ec \
no-ecdsa no-ecdh no-ripemd no-md2 no-md4 no-cast no-bf \
no-cms no-jpake no-capieng
Enabled:
shared threads enable-tlxext zlib
That gets me a nice stripped 1.2MB libcrypto and 300KB libssl.
It does mention OpenSSL has been built with ciphers disabled:
Jul 13 15:55:54.000 [notice] We weren't able to find support for all
of the TLS ciphersuites that we wanted to advertise. This won't hurt
security, but it might make your Tor (if run as a client) more easy
for censors to block.
However it works very well, even after clearing the cache it connects
very fast, (faster than the mips build)
If you happen to know more ciphers that can be disabled (without using
router functionality) please let me know.
2012/7/13 Nick Mathewson <nickm@xxxxxxxxxxxx>
>
> On Fri, Jul 13, 2012 at 8:14 AM, Gino Badouri <g.badouri@xxxxxxxxx> wrote:
>
> Hi!
>
> > From the OpenSSL documentation it seems that no-hw and no-engines leaves out
> > support for hardware crypto engines so those are safe to set (our devices
> > don't have them).
> >
> > Could anybody provide us with more "no-" options for ciphers we can skip?
> > Thanks alot!
>
> The absolutely required cryptographic primitives for Tor are AES,
> SHA1, SHA256, DH, and RSA. This may grow in the future.
>
> Be aware though that being unable to negotiate certain ciphersuites
> might make your devices more fingerprintable, since starting in
> 0.2.3.x Tor will no longer advertise openssl-supported ciphersuites
> that it doesn't have.
>
> --
> Nick
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev