tor_tls_classify_client_ciphers() returns CIPHERS_UNRESTRICTED even if CIPHERS_V2 should be returned. After prune v2_cipher_list to remove the ciphers server side don't recognize it will remove at least `0xfeff` that is SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA. So v2_cipher_list ends: ... 0xc003, /* TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA */ 0x000a, /* SSL3_TXT_RSA_DES_192_CBC3_SHA */ While peer sent cipher list that ends: ... 0xc003, /* TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA */ 0xfeff, /* SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA */ 0x000a, /* SSL3_TXT_RSA_DES_192_CBC3_SHA */ ``` const uint16_t *v2_cipher = v2_cipher_list; for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) { SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i); uint16_t id = cipher->id & 0xffff; if (id == 0x00ff) /* extended renegotiation indicator. */ continue; if (!id || id != *v2_cipher) { res = CIPHERS_UNRESTRICTED; goto dump_ciphers; ``` Then 0xfeff (from peer_ciphers) != 0x000a (from pruned list)