Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge remote-tracking branch 'public/ticket11528_024' into maint-0.2.4

Nick Mathewson 10 years ago
parent
882893c8c3 0b319de60f
commit
0ad8133a7e
2 changed files with 10 additions and 0 deletions
Split View Show Diff Stats
  1. 6 0
      changes/ticket11528
  2. 4 0
      src/common/tortls.c

+ 6 - 0
changes/ticket11528
View File 

@@ -0,0 +1,6 @@
 
+  o Minor features:
 
+    - Servers now trust themselves to have a better view than clients of
 
+      which TLS ciphersuites to choose. (Thanks to #11513, the server
 
+      list is now well-considered, whereas the client list has been
 
+      chosen mainly for anti-fingerprinting purposes.) Resolves ticket
 
+      11528.

+ 4 - 0
src/common/tortls.c
View File 

@@ -1277,6 +1277,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
 
     goto error;
 
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 
 
+  /* Prefer the server's ordering of ciphers: the client's ordering has
 
+  * historically been chosen for fingerprinting resistance. */
 
+  SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
 
+
 
   /* Disable TLS1.1 and TLS1.2 if they exist.  We need to do this to
 
    * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
 
    * June 2012), wherein renegotiating while using one of these TLS