Loading changes/bug24978 0 → 100644 +7 −0 Original line number Diff line number Diff line o Minor features (compatibility, OpenSSL): - Tor will now support TLS1.3 once OpenSSL 1.1.1 is released. Previous versions of Tor would not have worked with OpenSSL 1.1.1, since they neither disabled TLS 1.3 nor enabled any of the ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites. Closes ticket 24978. src/common/ciphers.inc +20 −1 Original line number Diff line number Diff line Loading @@ -2,8 +2,27 @@ * advertise. Before including it, you should define the CIPHER and XCIPHER * macros. * * This file was automatically generated by get_mozilla_ciphers.py. * This file was automatically generated by get_mozilla_ciphers.py; * TLSv1.3 ciphers were added manually. */ /* Here are the TLS1.3 ciphers. Note that we don't have XCIPHER instances * here, since we don't want to ever fake them. */ #ifdef TLS1_3_TXT_AES_128_GCM_SHA256 CIPHER(0x1301, TLS1_3_TXT_AES_128_GCM_SHA256) #endif #ifdef TLS1_3_TXT_AES_256_GCM_SHA384 CIPHER(0x1302, TLS1_3_TXT_AES_256_GCM_SHA384) #endif #ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256 CIPHER(0x1303, TLS1_3_TXT_CHACHA20_POLY1305_SHA256) #endif #ifdef TLS1_3_TXT_AES_128_CCM_SHA256 CIPHER(0x1304, TLS1_3_TXT_AES_128_CCM_SHA256) #endif /* Here's the machine-generated list. */ #ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) #else Loading src/common/tortls.c +25 −3 Original line number Diff line number Diff line Loading @@ -550,13 +550,35 @@ MOCK_IMPL(STATIC X509 *, /** List of ciphers that servers should select from when the client might be * claiming extra unsupported ciphers in order to avoid fingerprinting. */ #define SERVER_CIPHER_LIST \ (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) static const char SERVER_CIPHER_LIST[] = #ifdef TLS1_3_TXT_AES_128_GCM_SHA256 /* This one can never actually get selected, since if the client lists it, * we will assume that the client is honest, and not use this list. * Nonetheless we list it if it's available, so that the server doesn't * conclude that it has no valid ciphers if it's running with TLS1.3. */ TLS1_3_TXT_AES_128_GCM_SHA256 ":" #endif TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" TLS1_TXT_DHE_RSA_WITH_AES_128_SHA; /** List of ciphers that servers should select from when we actually have * our choice of what cipher to use. */ static const char UNRESTRICTED_SERVER_CIPHER_LIST[] = /* Here are the TLS 1.3 ciphers we like, in the order we prefer. */ #ifdef TLS1_3_TXT_AES_256_GCM_SHA384 TLS1_3_TXT_AES_256_GCM_SHA384 ":" #endif #ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256 TLS1_3_TXT_CHACHA20_POLY1305_SHA256 ":" #endif #ifdef TLS1_3_TXT_AES_128_GCM_SHA256 TLS1_3_TXT_AES_128_GCM_SHA256 ":" #endif #ifdef TLS1_3_TXT_AES_128_CCM_SHA256 TLS1_3_TXT_AES_128_CCM_SHA256 ":" #endif /* This list is autogenerated with the gen_server_ciphers.py script; * don't hand-edit it. */ #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Loading Loading
changes/bug24978 0 → 100644 +7 −0 Original line number Diff line number Diff line o Minor features (compatibility, OpenSSL): - Tor will now support TLS1.3 once OpenSSL 1.1.1 is released. Previous versions of Tor would not have worked with OpenSSL 1.1.1, since they neither disabled TLS 1.3 nor enabled any of the ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites. Closes ticket 24978.
src/common/ciphers.inc +20 −1 Original line number Diff line number Diff line Loading @@ -2,8 +2,27 @@ * advertise. Before including it, you should define the CIPHER and XCIPHER * macros. * * This file was automatically generated by get_mozilla_ciphers.py. * This file was automatically generated by get_mozilla_ciphers.py; * TLSv1.3 ciphers were added manually. */ /* Here are the TLS1.3 ciphers. Note that we don't have XCIPHER instances * here, since we don't want to ever fake them. */ #ifdef TLS1_3_TXT_AES_128_GCM_SHA256 CIPHER(0x1301, TLS1_3_TXT_AES_128_GCM_SHA256) #endif #ifdef TLS1_3_TXT_AES_256_GCM_SHA384 CIPHER(0x1302, TLS1_3_TXT_AES_256_GCM_SHA384) #endif #ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256 CIPHER(0x1303, TLS1_3_TXT_CHACHA20_POLY1305_SHA256) #endif #ifdef TLS1_3_TXT_AES_128_CCM_SHA256 CIPHER(0x1304, TLS1_3_TXT_AES_128_CCM_SHA256) #endif /* Here's the machine-generated list. */ #ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) #else Loading
src/common/tortls.c +25 −3 Original line number Diff line number Diff line Loading @@ -550,13 +550,35 @@ MOCK_IMPL(STATIC X509 *, /** List of ciphers that servers should select from when the client might be * claiming extra unsupported ciphers in order to avoid fingerprinting. */ #define SERVER_CIPHER_LIST \ (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) static const char SERVER_CIPHER_LIST[] = #ifdef TLS1_3_TXT_AES_128_GCM_SHA256 /* This one can never actually get selected, since if the client lists it, * we will assume that the client is honest, and not use this list. * Nonetheless we list it if it's available, so that the server doesn't * conclude that it has no valid ciphers if it's running with TLS1.3. */ TLS1_3_TXT_AES_128_GCM_SHA256 ":" #endif TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" TLS1_TXT_DHE_RSA_WITH_AES_128_SHA; /** List of ciphers that servers should select from when we actually have * our choice of what cipher to use. */ static const char UNRESTRICTED_SERVER_CIPHER_LIST[] = /* Here are the TLS 1.3 ciphers we like, in the order we prefer. */ #ifdef TLS1_3_TXT_AES_256_GCM_SHA384 TLS1_3_TXT_AES_256_GCM_SHA384 ":" #endif #ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256 TLS1_3_TXT_CHACHA20_POLY1305_SHA256 ":" #endif #ifdef TLS1_3_TXT_AES_128_GCM_SHA256 TLS1_3_TXT_AES_128_GCM_SHA256 ":" #endif #ifdef TLS1_3_TXT_AES_128_CCM_SHA256 TLS1_3_TXT_AES_128_CCM_SHA256 ":" #endif /* This list is autogenerated with the gen_server_ciphers.py script; * don't hand-edit it. */ #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Loading
