diff options
author | Nick Mathewson <nickm@torproject.org> | 2012-10-24 20:13:25 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2012-10-24 20:13:25 -0400 |
commit | 62a49c0cc85037d3e79468961ff625ec5e8aad65 (patch) | |
tree | 8eef06b22c549348652c4b9ed0181a959d455514 /src/common | |
parent | b99457d4295b2329e65f3e01b24b57d5c78ca017 (diff) | |
download | tor-62a49c0cc85037d3e79468961ff625ec5e8aad65.tar tor-62a49c0cc85037d3e79468961ff625ec5e8aad65.tar.gz |
Only disable TLS tickets when being/acting as a server.
Fix for bug 7189.
Diffstat (limited to 'src/common')
-rw-r--r-- | src/common/tortls.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index bec2c7123..12eac8dea 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1198,10 +1198,13 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, /* Disable TLS tickets if they're supported. We never want to use them; * using them can make our perfect forward secrecy a little worse, *and* * create an opportunity to fingerprint us (since it's unusual to use them - * with TLS sessions turned off). + * with TLS sessions turned off). Clients need to advertise support for + * them, though to avoid a TLS distinguishability vector. */ #ifdef SSL_OP_NO_TICKET - SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET); + if (! is_client) { + SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET); + } #endif if ( |