Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Disable SSLv3 unconditionally. Closes ticket 13426.

The POODLE attack doesn't affect Tor, but there's no reason to tempt
fate: SSLv3 isn't going to get any better.
Nick Mathewson 9 years ago
parent
b98e3f9936
commit
af73d3e4d8
2 changed files with 7 additions and 1 deletions
Split View Show Diff Stats
  1. 4 0
      changes/disable_sslv3
  2. 3 1
      src/common/tortls.c

+ 4 - 0
changes/disable_sslv3
View File 

@@ -0,0 +1,4 @@
 
+  o Major security fixes:
 
+    - Disable support for SSLv3. All versions of OpenSSL in use with
 
+      Tor today support TLS 1.0 or later, so we can safely turn off
 
+      support for this old (and insecure) protocol. Fixes bug 13426.

+ 3 - 1
src/common/tortls.c
View File 

@@ -1176,10 +1176,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
 
     goto error;
 
 #endif
 
 
-  /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
 
+  /* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
 
   if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
 
     goto error;
 
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 
+  SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
 
 
   /* Disable TLS1.1 and TLS1.2 if they exist.  We need to do this to
 
    * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
 
@@ -1204,6 +1205,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
 
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
 
 #endif
 
 
+  /* XXX This block is now obsolete. */
 
   if (
 
 #ifdef DISABLE_SSL3_HANDSHAKE
 
       1 ||