Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Change servers to never pick 3DES.

Closes ticket 19998.
Nick Mathewson 9 years ago
parent
6abce601f2
commit
c2d1356739
2 changed files with 9 additions and 8 deletions
Split View Show Diff Stats
  1. 6 0
      changes/bug19998
  2. 3 8
      src/common/tortls.c

+ 6 - 0
changes/bug19998
View File 

@@ -0,0 +1,6 @@
 
+  o Minor features (security, TLS):
 
+    - Servers no longer support clients that do not provide AES
 
+      ciphersuites. (3DES is no longer considered an acceptable
 
+      cipher.) We believe that no such clients currently exist,
 
+      since we have required OpenSSL 0.9.7 or later since 2009.
 
+      Closes ticket 19998.

+ 3 - 8
src/common/tortls.c
View File 

@@ -552,8 +552,7 @@ MOCK_IMPL(STATIC X509 *,
 
  * claiming extra unsupported ciphers in order to avoid fingerprinting.  */
 
 #define SERVER_CIPHER_LIST                         \
 
   (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"           \
 
-   TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"           \
 
-   SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
 
+   TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
 
 
 /** List of ciphers that servers should select from when we actually have
 
  * our choice of what cipher to use. */
 
@@ -593,12 +592,8 @@ static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
 
        /* Required */
 
        TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
 
        /* Required */
 
-       TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
 
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
 
-       TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":"
 
-#endif
 
-       /* Required */
 
-       SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
 
+       TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
 
+       ;
 
 
 /* Note: to set up your own private testing network with link crypto
 
  * disabled, set your Tors' cipher list to