Merge remote-tracking branch 'public/bug6055_v2_024'

090bff2d · Nick Mathewson · 759de9f7 · ad763a33 · 090bff2d · 090bff2d
Commit 090bff2d authored 11 years ago by Nick Mathewson
--- a/changes/bug6055
+++ b/changes/bug6055
+  o Major enhancements:
+    - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later.
+      (OpenSSL before 1.0.1 didn't have TLS 1.1 or 1.2. OpenSSL from 1.0.1
+      through 1.0.1d had bugs that prevented renegotiation from working
+      with TLS 1.1 or 1.2, so we disabled them to solve bug 6033.) Fix for
+      issue #6055.
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1241,12 +1241,15 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
   * version.  Once some version of OpenSSL does TLS1.1 and TLS1.2
   * renegotiation properly, we can turn them back on when built with
   * that version. */
+#if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,1,'e')
 #ifdef SSL_OP_NO_TLSv1_2
  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
 #endif
 #ifdef SSL_OP_NO_TLSv1_1
  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
 #endif
+#endif
+
  /* Disable TLS tickets if they're supported.  We never want to use them;
   * using them can make our perfect forward secrecy a little worse, *and*
   * create an opportunity to fingerprint us (since it's unusual to use them