Commit 2ec88a2a authored by Nick Mathewson's avatar Nick Mathewson 🏃
Browse files

Tell openssl to build its TLS contexts with security level 1

Fixes bug 27344, where we'd break compatibility with old tors by
rejecting RSA1024 and DH1024.
parent 9fcb3ef7
o Minor features (compatibility):
- Tell OpenSSL to maintain backward compatibility with previous
RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these ciphers
are disabled by default. Closes ticket 27344.
......@@ -678,6 +678,7 @@ AC_CHECK_FUNCS([ \
SSL_get_client_ciphers \
SSL_get_client_random \
SSL_CIPHER_find \
SSL_CTX_set_security_level \
TLS_method
])
......
......@@ -1130,6 +1130,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
goto error;
#endif
#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
/* Level 1 re-enables RSA1024 and DH1024 for compatibility with old tors */
SSL_CTX_set_security_level(result->ctx, 1);
#endif
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
......@@ -2555,4 +2560,3 @@ evaluate_ecgroup_for_tls(const char *ecgroup)
return ret;
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment