Only disable TLS tickets when being/acting as a server.

Fix for bug 7189.
author: Nick Mathewson <nickm@torproject.org> 2012-10-24 20:13:25 -0400
committer: Nick Mathewson <nickm@torproject.org> 2012-10-24 20:13:25 -0400
commit: 62a49c0cc85037d3e79468961ff625ec5e8aad65 (patch)
tree: 8eef06b22c549348652c4b9ed0181a959d455514 /src/common/tortls.c
parent: b99457d4295b2329e65f3e01b24b57d5c78ca017 (diff)
download: tor-62a49c0cc85037d3e79468961ff625ec5e8aad65.tar
tor-62a49c0cc85037d3e79468961ff625ec5e8aad65.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c
index bec2c7123..12eac8dea 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1198,10 +1198,13 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
   /* Disable TLS tickets if they're supported.  We never want to use them;
    * using them can make our perfect forward secrecy a little worse, *and*
    * create an opportunity to fingerprint us (since it's unusual to use them
-   * with TLS sessions turned off).
+   * with TLS sessions turned off).  Clients need to advertise support for
+   * them, though to avoid a TLS distinguishability vector.
    */
 #ifdef SSL_OP_NO_TICKET
-  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
+  if (! is_client) {
+    SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
+  }
 #endif
 
   if (
author	Nick Mathewson <nickm@torproject.org>	2012-10-24 20:13:25 -0400
committer	Nick Mathewson <nickm@torproject.org>	2012-10-24 20:13:25 -0400
commit	62a49c0cc85037d3e79468961ff625ec5e8aad65 (patch)
tree	8eef06b22c549348652c4b9ed0181a959d455514 /src/common/tortls.c
parent	b99457d4295b2329e65f3e01b24b57d5c78ca017 (diff)
download	tor-62a49c0cc85037d3e79468961ff625ec5e8aad65.tar tor-62a49c0cc85037d3e79468961ff625ec5e8aad65.tar.gz