[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
------------------------+---------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: critical | Milestone: Tor: 0.2.1.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by nickm):
Have a look at branch "bug4822_021" in my public repo.
I considered an approach where we would allow any handshake, but disallow
any SSL3 ciphers so that the handshake would fail if the ssl3 handshake
were actually tried. Problem was, openssl allows tls1 ciphers with the
ssl3 handshake, so that wouldn't have worked. (Thanks to asn for testing
that.)
This needs review and a changes file.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs