From 62a49c0cc85037d3e79468961ff625ec5e8aad65 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 24 Oct 2012 20:13:25 -0400 Subject: Only disable TLS tickets when being/acting as a server. Fix for bug 7189. --- changes/bug7189_server_only | 5 +++++ src/common/tortls.c | 7 +++++-- 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 changes/bug7189_server_only diff --git a/changes/bug7189_server_only b/changes/bug7189_server_only new file mode 100644 index 000000000..6c2462141 --- /dev/null +++ b/changes/bug7189_server_only @@ -0,0 +1,5 @@ + o Minor bugfixes: + - Only disable TLS session ticket support when running as a TLS + server. It's important for clients to remain hard to distinguish + from regular firefox connections. Fixes bug 7189; bugfix on + Tor 0.2.3.23-rc. diff --git a/src/common/tortls.c b/src/common/tortls.c index bec2c7123..12eac8dea 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1198,10 +1198,13 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, /* Disable TLS tickets if they're supported. We never want to use them; * using them can make our perfect forward secrecy a little worse, *and* * create an opportunity to fingerprint us (since it's unusual to use them - * with TLS sessions turned off). + * with TLS sessions turned off). Clients need to advertise support for + * them, though to avoid a TLS distinguishability vector. */ #ifdef SSL_OP_NO_TICKET - SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET); + if (! is_client) { + SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET); + } #endif if ( -- cgit v1.2.3