Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 3365def68b
Branches Tags
tor
/
changes
/
bug4822

bug4822 799 B
History Raw

12345678910111213 
  1.   o Major security workaround:
    2. 

  2.     - When building or running with any version of OpenSSL earlier
    3. 

  3.       than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had
    4. 

  4.       a bug (CVE-2011-4576) in which their block cipher padding
    5. 

  5.       included uninitialized data, potentially leaking sensitive
    6. 

  6.       information to any peer with whom they made a SSLv3
    7. 

  7.       connection. Tor does not use SSL v3 by default, but a hostile
    8. 

  8.       client or server could force an SSLv3 connection in order to
    9. 

  9.       gain information that they shouldn't have been able to get. The
    10. 

  10.       best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or
    11. 

  11.       later). But when building or running with a non-upgraded
    12. 

  12.       OpenSSL, we should instead make sure that the bug can't happen
    13. 

  13.       by disabling SSLv3 entirely.
    14.