Change changes file and comment for 7189, for making it 0.2.4-only for now

author: Nick Mathewson <nickm@torproject.org> 2012-10-24 22:11:43 -0400
committer: Nick Mathewson <nickm@torproject.org> 2012-10-24 22:11:43 -0400
commit: a1c121e78e09ad29a60f1ed4ab1c8d1333bb4236 (patch)
tree: 8cdde8731e01cfab51649ad1e0ad214d6b5560e9 /src/common/tortls.c
parent: 4a7962e439312b5002e05e0c720245e8359ad808 (diff)
download: tor-a1c121e78e09ad29a60f1ed4ab1c8d1333bb4236.tar
tor-a1c121e78e09ad29a60f1ed4ab1c8d1333bb4236.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 3bb058146..1b7b544f3 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1193,8 +1193,12 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
   /* Disable TLS tickets if they're supported.  We never want to use them;
    * using them can make our perfect forward secrecy a little worse, *and*
    * create an opportunity to fingerprint us (since it's unusual to use them
-   * with TLS sessions turned off).  Clients need to advertise support for
-   * them, though to avoid a TLS distinguishability vector.
+   * with TLS sessions turned off).
+   *
+   * In 0.2.4, clients advertise support for them, though to avoid a TLS
+   * distinguishability vector.  This can give us worse PFS, though, if we
+   * get a server that doesn't set SSL_OP_NO_TICKET.  With luck, there will
+   * be few such servers by the time 0.2.4 is more stable.
    */
 #ifdef SSL_OP_NO_TICKET
   if (! is_client) {
author	Nick Mathewson <nickm@torproject.org>	2012-10-24 22:11:43 -0400
committer	Nick Mathewson <nickm@torproject.org>	2012-10-24 22:11:43 -0400
commit	a1c121e78e09ad29a60f1ed4ab1c8d1333bb4236 (patch)
tree	8cdde8731e01cfab51649ad1e0ad214d6b5560e9 /src/common/tortls.c
parent	4a7962e439312b5002e05e0c720245e8359ad808 (diff)
download	tor-a1c121e78e09ad29a60f1ed4ab1c8d1333bb4236.tar tor-a1c121e78e09ad29a60f1ed4ab1c8d1333bb4236.tar.gz