|
@@ -1195,6 +1195,14 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
|
|
|
#ifdef SSL_OP_NO_TLSv1_1
|
|
|
SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
|
|
|
#endif
|
|
|
+ /* Disable TLS tickets if they're supported. We never want to use them;
|
|
|
+ * using them can make our perfect forward secrecy a little worse, *and*
|
|
|
+ * create an opportunity to fingerprint us (since it's unusual to use them
|
|
|
+ * with TLS sessions turned off).
|
|
|
+ */
|
|
|
+#ifdef SSL_OP_NO_TICKET
|
|
|
+ SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
|
|
|
+#endif
|
|
|
|
|
|
if (
|
|
|
#ifdef DISABLE_SSL3_HANDSHAKE
|