Commit ad763a33 authored Aug 13, 2013 by Nick Mathewson

Re-enable TLS 1.[12] when building with OpenSSL >= 1.0.1e

To fix #6033, we disabled TLS 1.1 and 1.2.  Eventually, OpenSSL fixed
the bug behind #6033.

I've considered alternate implementations that do more testing to see
if there's secretly an OpenSSL 1.0.1c or something that secretly has a
backport of the OpenSSL 1.0.1e fix, and decided against it on the
grounds of complexity.

parent 938ee9b2

changes/bug6055

0 → 100644

+6 −0

Original line number	Diff line number	Diff line
		o Major enhancements:
		- Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later.
		(OpenSSL before 1.0.1 didn't have TLS 1.1 or 1.2. OpenSSL from 1.0.1
		through 1.0.1d had bugs that prevented renegotiation from working
		with TLS 1.1 or 1.2, so we disabled them to solve bug 6033.) Fix for
		issue #6055.

src/common/tortls.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -1269,12 +1269,15 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
		* version. Once some version of OpenSSL does TLS1.1 and TLS1.2
		* renegotiation properly, we can turn them back on when built with
		* that version. */
		#if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,1,'e')
		#ifdef SSL_OP_NO_TLSv1_2
		SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
		#endif
		#ifdef SSL_OP_NO_TLSv1_1
		SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
		#endif
		#endif

		/* Disable TLS tickets if they're supported. We never want to use them;
		* using them can make our perfect forward secrecy a little worse, and
		* create an opportunity to fingerprint us (since it's unusual to use them