Loading changes/bug6033 0 → 100644 +6 −0 Original line number Diff line number Diff line o Major bugfixes: - Work around a bug in OpenSSL that broke renegotiation with TLS 1.1 and TLS 1.2. Without this workaround, all attempts to speak the v2 Tor network protocol when both sides were using OpenSSL 1.0.1 would fail. Fix for bug 6033, which is not a bug in Tor. src/common/tortls.c +15 −0 Original line number Diff line number Diff line Loading @@ -790,6 +790,21 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime, goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 * June 2012), wherein renegotiating while using one of these TLS * protocols will cause the client to send a TLS 1.0 ServerHello * rather than a ServerHello written with the appropriate protocol * version. Once some version of OpenSSL does TLS1.1 and TLS1.2 * renegotiation properly, we can turn them back on when built with * that version. */ #ifdef SSL_OP_NO_TLSv1_2 SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2); #endif #ifdef SSL_OP_NO_TLSv1_1 SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1); #endif if ( #ifdef DISABLE_SSL3_HANDSHAKE 1 || Loading Loading
changes/bug6033 0 → 100644 +6 −0 Original line number Diff line number Diff line o Major bugfixes: - Work around a bug in OpenSSL that broke renegotiation with TLS 1.1 and TLS 1.2. Without this workaround, all attempts to speak the v2 Tor network protocol when both sides were using OpenSSL 1.0.1 would fail. Fix for bug 6033, which is not a bug in Tor.
src/common/tortls.c +15 −0 Original line number Diff line number Diff line Loading @@ -790,6 +790,21 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime, goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 * June 2012), wherein renegotiating while using one of these TLS * protocols will cause the client to send a TLS 1.0 ServerHello * rather than a ServerHello written with the appropriate protocol * version. Once some version of OpenSSL does TLS1.1 and TLS1.2 * renegotiation properly, we can turn them back on when built with * that version. */ #ifdef SSL_OP_NO_TLSv1_2 SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2); #endif #ifdef SSL_OP_NO_TLSv1_1 SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1); #endif if ( #ifdef DISABLE_SSL3_HANDSHAKE 1 || Loading
