Merge remote-tracking branch 'public/bug9780_024_v2' into maint-0.2.4

3 files changed, 10 insertions, 4 deletions

diff --git a/changes/bug9780 b/changes/bug9780
new file mode 100644
index 000000000..3cb51bd52
--- /dev/null
+++ b/changes/bug9780
@@ -0,0 +1,8 @@
+  o Minor bugfixes (performance, fingerprinting):
+    - Our default TLS ecdhe groups were backwards: we meant to be using
+      P224 for relays (for performance win) and P256 for bridges (since
+      it is more common in the wild). Instead we had it backwards. After
+      reconsideration, we decided that the default should be P256 on all
+      hosts, since its security is probably better, and since P224 is
+      reportedly used quite little in the wild.  Found by "skruffy" on
+      IRC. Fix for bug 9780; bugfix on 0.2.4.8-alpha.
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 0e7f088c9..b9ee29614 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1646,7 +1646,7 @@ is non-zero):
     What EC group should we try to use for incoming TLS connections?
     P224 is faster, but makes us stand out more. Has no effect if
     we're a client, or if our OpenSSL version lacks support for ECDHE.
-    (Default: P224 for public servers; P256 for bridges.)
+    (Default: P256)
 
 [[CellStatistics]] **CellStatistics** **0**|**1**::
     When this option is enabled, Tor writes statistics on the mean time that
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 90ebb755f..60444f1b8 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1372,10 +1372,8 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
       nid = NID_secp224r1;
     else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
       nid = NID_X9_62_prime256v1;
-    else if (flags & TOR_TLS_CTX_IS_PUBLIC_SERVER)
-      nid = NID_X9_62_prime256v1;
     else
-      nid = NID_secp224r1;
+      nid = NID_X9_62_prime256v1;
     /* Use P-256 for ECDHE. */
     ec_key = EC_KEY_new_by_curve_name(nid);
     if (ec_key != NULL) /*XXXX Handle errors? */