bug4822 799 B

12345678910111213
  1. o Major security workaround:
  2. - When building or running with any version of OpenSSL earlier
  3. than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had
  4. a bug (CVE-2011-4576) in which their block cipher padding
  5. included uninitialized data, potentially leaking sensitive
  6. information to any peer with whom they made a SSLv3
  7. connection. Tor does not use SSL v3 by default, but a hostile
  8. client or server could force an SSLv3 connection in order to
  9. gain information that they shouldn't have been able to get. The
  10. best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or
  11. later). But when building or running with a non-upgraded
  12. OpenSSL, we should instead make sure that the bug can't happen
  13. by disabling SSLv3 entirely.