[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?
From: starlight.2015q2@xxxxxxxxxxx
Date: Sun, 02 Aug 2015 13:28:44 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 02 Aug 2015 13:29:00 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Of course!  This is implicit in my posting.

What I am saying is that, like old v1/v2
handshakes, Tor should be moving in the
direction of eliminating DHE.  The
way to approach that is to *count*
the number of DHE handshakes and
other TLS session attributes.  This
is currently begin done for TOR/NTOR
handshakes but is not for TLS negotiations.

0.2.7 will not build/run with openssl
0.9.8, so once 0.2.7 is widely deployed
DHE can be forcibly disabled.

BUT, as with v1/v2 handshakes, one
would not want to do that prematurely
so counting them is a good idea.

That suggesting is the principle
idea of the thread.

At 20:01 8/2/2015 +0300, you wrote:
>I think that is to maintain a backward
>compatibility. Tor tries as hard as possible to
>maintain backward compatibility with older
>versions, unless something critical which requires
>deprecation regardless some relays will disappear
>from the consensus.
>
>I guess this is the reason we currently prefer
>ECDHE but do not reject DHE. In the future, when
>we are certain everyone upgraded to new enough
>OpenSSL, we can safely reject DHE all the time.
>

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Prev by Author: Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?
Next by Author: Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?
Previous by thread: Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?
Next by thread: Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?
Index(es):
- Author
- Thread