Elevate server TLS cipher preferences over client

The server cipher list is (thanks to #11513) chosen systematically to put the best choices for Tor first. The client cipher list is chosen to resemble a browser. So let's set SSL_OP_CIPHER_SERVER_PREFERENCE to have the servers pick according to their own preference order.
author: Nick Mathewson <nickm@torproject.org> 2014-04-17 10:23:18 -0400
committer: Nick Mathewson <nickm@torproject.org> 2014-04-17 10:33:04 -0400
commit: 0b319de60f7c80ab5c37c57af182f4f710ceb5b7 (patch)
tree: fdb58d36fe21c7f5268475cd95c3f54b6c64e9eb /src/common/tortls.c
parent: f3c20a28ab50386064043cc31edb3b1b543d6fc6 (diff)
download: tor-0b319de60f7c80ab5c37c57af182f4f710ceb5b7.tar
tor-0b319de60f7c80ab5c37c57af182f4f710ceb5b7.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 886ee0dda..8eb524ebf 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1261,6 +1261,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
     goto error;
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 
+  /* Prefer the server's ordering of ciphers: the client's ordering has
+  * historically been chosen for fingerprinting resistance. */
+  SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+
   /* Disable TLS1.1 and TLS1.2 if they exist.  We need to do this to
    * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
    * June 2012), wherein renegotiating while using one of these TLS
author	Nick Mathewson <nickm@torproject.org>	2014-04-17 10:23:18 -0400
committer	Nick Mathewson <nickm@torproject.org>	2014-04-17 10:33:04 -0400
commit	0b319de60f7c80ab5c37c57af182f4f710ceb5b7 (patch)
tree	fdb58d36fe21c7f5268475cd95c3f54b6c64e9eb /src/common/tortls.c
parent	f3c20a28ab50386064043cc31edb3b1b543d6fc6 (diff)
download	tor-0b319de60f7c80ab5c37c57af182f4f710ceb5b7.tar tor-0b319de60f7c80ab5c37c57af182f4f710ceb5b7.tar.gz