Loading changes/ticket11528 0 → 100644 +6 −0 Original line number Diff line number Diff line o Minor features: - Servers now trust themselves to have a better view than clients of which TLS ciphersuites to choose. (Thanks to #11513, the server list is now well-considered, whereas the client list has been chosen mainly for anti-fingerprinting purposes.) Resolves ticket 11528. src/common/tortls.c +4 −0 Original line number Diff line number Diff line Loading @@ -1277,6 +1277,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); /* Prefer the server's ordering of ciphers: the client's ordering has * historically been chosen for fingerprinting resistance. */ SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 * June 2012), wherein renegotiating while using one of these TLS Loading Loading
changes/ticket11528 0 → 100644 +6 −0 Original line number Diff line number Diff line o Minor features: - Servers now trust themselves to have a better view than clients of which TLS ciphersuites to choose. (Thanks to #11513, the server list is now well-considered, whereas the client list has been chosen mainly for anti-fingerprinting purposes.) Resolves ticket 11528.
src/common/tortls.c +4 −0 Original line number Diff line number Diff line Loading @@ -1277,6 +1277,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); /* Prefer the server's ordering of ciphers: the client's ordering has * historically been chosen for fingerprinting resistance. */ SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 * June 2012), wherein renegotiating while using one of these TLS Loading
