This is a feature removal: we no longer fake any ciphersuite other
than the not-really-standard SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
(0xfeff).  This change will let servers rely on our actually
supporting what we claim to support, and thereby let Tor migrate to
better TLS ciphersuites.

As a drawback, Tor instances that use old openssl versions and
openssl builds with ciphers disabled will no longer give the
"firefox" cipher list.

We forgot this when we fixed 5969.

Karsten Loesing authored 12 years ago and Nick Mathewson committed 12 years ago

Fixes #5849.

Manually removed range 0.116.0.0 to 0.119.255.255 which Maxmind says is
assigned to AT.  This is very likely a bug in their database, because
0.0.0.0/8 is a reserved range.

First, specify -Werror when we are testing each option; if it causes
a warning to appear, we shouldn't be adding it.

Second, do not attempt to add these options until after we have
found the libraries we want.  Previously, I would hit a bug where
the linker hardening options worked fine when we weren't linking
anything, but failed completely once we added openssl or libevent.

Conflicts:
	doc/tor.1.txt

Conflict was on a formatting issue in the manpage.

Nearly everywhere, we end options with "(Default: foo)".  But in a
few places, we inserted an extra period after or before the close
parenthesis, and in a few other places we said "(Defaults to foo)".
Let's not do that.

Conflicts:
	src/or/dirserv.c

This is a very blunt fix, and mostly just turns some func() calls
into FuncA() to make things build again.  Fixes bug 6097.

The function is not guaranteed to NUL-terminate its output.  It
*is*, however, guaranteed not to generate more than two bytes per
multibyte character (plus terminating nul), so the general approach
I'm taking is to try to allocate enough space, AND to manually add a
NUL at the end of each buffer just in case I screwed up the "enough
space" thing.

Fixes bug 5909.

Fixes bug 6094; bugfix on commit 3a9351b5.

This feature can make Tor relays less identifiable by their use of the
mod_ssl DH group, but at the cost of some usability (#4721) and bridge
tracing (#6087) regressions.

We should try to turn this on by default again if we find that the
mod_ssl group is uncommon and/or we move to a different DH group size
(see #6088).  Before we can do so, we need a fix for bugs #6087 and

Resolves ticket #5598 for now.