aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2012-06-04 11:33:27 -0400
committerNick Mathewson <nickm@torproject.org>2012-06-04 11:33:27 -0400
commit6d85a796539424882f878ccac5ae4640a6fbb561 (patch)
tree1547859e9377d1c520b7d52dfc21f66c9eba059a /src
parentb7e863c07305941d0c12b46da503fca694148abf (diff)
parent841a8d551abd191b23ad2f78dfb07d9e4ff8ace2 (diff)
downloadtor-6d85a796539424882f878ccac5ae4640a6fbb561.tar
tor-6d85a796539424882f878ccac5ae4640a6fbb561.tar.gz
Merge remote-tracking branch 'public/bug6033' into maint-0.2.2
Diffstat (limited to 'src')
-rw-r--r--src/common/tortls.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 4c9d2188d..c6316120f 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -790,6 +790,21 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime,
goto error;
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
+ /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to
+ * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
+ * June 2012), wherein renegotiating while using one of these TLS
+ * protocols will cause the client to send a TLS 1.0 ServerHello
+ * rather than a ServerHello written with the appropriate protocol
+ * version. Once some version of OpenSSL does TLS1.1 and TLS1.2
+ * renegotiation properly, we can turn them back on when built with
+ * that version. */
+#ifdef SSL_OP_NO_TLSv1_2
+ SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
+#endif
+#ifdef SSL_OP_NO_TLSv1_1
+ SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
+#endif
+
if (
#ifdef DISABLE_SSL3_HANDSHAKE
1 ||