Stop allowing 3DES in TLS ciphersuites
Thanks to the SWEET32 attack, 3des is getting lots of attention.
Right now, Tor is willing in principle to negotiate a 3DES TLS connection.
But the good news is (I think) that two non-obsolete Tor instances will never actually do so. Here is my reasoning:
- Our source code has always preferred AES to 3DES. So the only way to get 3DES would be if one party didn't support AES.
- OpenSSL began supporting AES in version 0.9.7.
- Tor has required OpenSSL 0.9.7 or later since 7da93b80ca7a6ba , which was in 0.2.0.10-alpha.
So this cipher shouldn't get negotiated, unless you're doing something very very weird.
I suggest that the best fix is to stop servers from ever choosing it.
I suggest that as an additional fix, clients should reject a connection to any server that does choose it.