diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-05-07 23:04:59 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-05-07 23:04:59 -0400 |
| commit | 0ad8133a7e4f70120986f02bddb3abb6cc3d9509 (patch) | |
| tree | 58a01dbc82813b427c4bf9b795015ba9f7053419 | |
| parent | 882893c8c3657be66b48580aa972e71dac25da5e (diff) | |
| parent | 0b319de60f7c80ab5c37c57af182f4f710ceb5b7 (diff) | |
| download | tor-0ad8133a7e4f70120986f02bddb3abb6cc3d9509.tar tor-0ad8133a7e4f70120986f02bddb3abb6cc3d9509.tar.gz | |
Merge remote-tracking branch 'public/ticket11528_024' into maint-0.2.4
| -rw-r--r-- | changes/ticket11528 | 6 | ||||
| -rw-r--r-- | src/common/tortls.c | 4 |
2 files changed, 10 insertions, 0 deletions
diff --git a/changes/ticket11528 b/changes/ticket11528 new file mode 100644 index 000000000..15daad995 --- /dev/null +++ b/changes/ticket11528 @@ -0,0 +1,6 @@ + o Minor features: + - Servers now trust themselves to have a better view than clients of + which TLS ciphersuites to choose. (Thanks to #11513, the server + list is now well-considered, whereas the client list has been + chosen mainly for anti-fingerprinting purposes.) Resolves ticket + 11528. diff --git a/src/common/tortls.c b/src/common/tortls.c index bbbf6a5ef..8f3f6a713 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1277,6 +1277,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); + /* Prefer the server's ordering of ciphers: the client's ordering has + * historically been chosen for fingerprinting resistance. */ + SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 * June 2012), wherein renegotiating while using one of these TLS |