[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #19998 [Core Tor/Tor]: Stop allowing 3DES in TLS ciphersuites

Subject: [tor-bugs] #19998 [Core Tor/Tor]: Stop allowing 3DES in TLS ciphersuites
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 26 Aug 2016 14:07:04 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 26 Aug 2016 10:07:14 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#19998: Stop allowing 3DES in TLS ciphersuites
------------------------------+--------------------------------
     Reporter:  nickm         |      Owner:
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.2.9.x-final
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:
Actual Points:                |  Parent ID:
       Points:  .2            |   Reviewer:
      Sponsor:                |
------------------------------+--------------------------------
 Thanks to the SWEET32 attack, 3des is getting lots of attention.

 Right now, Tor is willing in principle to negotiate a 3DES TLS connection.

 But the good news is (I think) that two non-obsolete Tor instances will
 never actually do so. Here is my reasoning:
    * Our source code has always preferred AES to 3DES. So the only way to
 get 3DES would be if one party didn't support AES.
    * OpenSSL began supporting AES in version 0.9.7.
    * Tor has required OpenSSL 0.9.7 or later since 7da93b80ca7a6ba , which
 was in 0.2.0.10-alpha.

 So this cipher shouldn't get negotiated, unless you're doing something
 very very weird.

 I suggest that the best fix is to stop servers from ever choosing it.

 I suggest that as an additional fix, clients should reject a connection to
 any server that  _does_ choose it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19998>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #19998 [Core Tor/Tor]: Stop allowing 3DES in TLS ciphersuites
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #19998 [Core Tor/Tor]: Stop allowing 3DES in TLS ciphersuites
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #19720 [Metrics/CollecTor]: CollecTor should be re-configurable without restart
Next by Author: Re: [tor-bugs] #18120 [Applications/Tor Browser]: UI for ExitNode country selection for this site in Torbutton
Previous by thread: Re: [tor-bugs] #16106 [Core Tor/Tor]: Sandbox causes crash when creating a hidden service through the control port
Next by thread: Re: [tor-bugs] #19998 [Core Tor/Tor]: Stop allowing 3DES in TLS ciphersuites
Index(es):
- Author
- Thread