Skip to content

Stop allowing 3DES in TLS ciphersuites

Thanks to the SWEET32 attack, 3des is getting lots of attention.

Right now, Tor is willing in principle to negotiate a 3DES TLS connection.

But the good news is (I think) that two non-obsolete Tor instances will never actually do so. Here is my reasoning:

  • Our source code has always preferred AES to 3DES. So the only way to get 3DES would be if one party didn't support AES.
  • OpenSSL began supporting AES in version 0.9.7.
  • Tor has required OpenSSL 0.9.7 or later since 7da93b80 , which was in 0.2.0.10-alpha.

So this cipher shouldn't get negotiated, unless you're doing something very very weird.

I suggest that the best fix is to stop servers from ever choosing it.

I suggest that as an additional fix, clients should reject a connection to any server that does choose it.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information