[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] relay's count handshake versions, why not TLS handshake types?



Of course!  This is implicit in my posting.

What I am saying is that, like old v1/v2
handshakes, Tor should be moving in the
direction of eliminating DHE.  The
way to approach that is to *count*
the number of DHE handshakes and
other TLS session attributes.  This
is currently begin done for TOR/NTOR
handshakes but is not for TLS negotiations.

0.2.7 will not build/run with openssl
0.9.8, so once 0.2.7 is widely deployed
DHE can be forcibly disabled.

BUT, as with v1/v2 handshakes, one
would not want to do that prematurely
so counting them is a good idea.

That suggesting is the principle
idea of the thread.




At 20:01 8/2/2015 +0300, you wrote:
>I think that is to maintain a backward
>compatibility. Tor tries as hard as possible to
>maintain backward compatibility with older
>versions, unless something critical which requires
>deprecation regardless some relays will disappear
>from the consensus.
>
>I guess this is the reason we currently prefer
>ECDHE but do not reject DHE. In the future, when
>we are certain everyone upgraded to new enough
>OpenSSL, we can safely reject DHE all the time.
>

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays