From 841a8d551abd191b23ad2f78dfb07d9e4ff8ace2 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sat, 2 Jun 2012 20:05:32 -0400 Subject: Work around a bug in OpenSSL 1.0.1's TLS 1.1 and TLS 1.2 support It appears that when OpenSSL negotiates a 1.1 or 1.2 connection, and it decides to renegotiate, the client will send a record with version "1.0" rather than with the current TLS version. This would cause the connection to fail whenever both sides had OpenSSL 1.0.1, and the v2 Tor handshake was in use. As a workaround, disable TLS 1.1 and TLS 1.2. When a later version of OpenSSL is released, we can make this conditional on running a fixed version of OpenSSL. Alternatively, we could disable TLS 1.1 and TLS 1.2 only on the client side. But doing it this way for now means that we not only fix TLS with patched clients; we also fix TLS when the server has this patch and the client does not. That could be important to keep the network running well. Fixes bug 6033. --- changes/bug6033 | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changes/bug6033 (limited to 'changes/bug6033') diff --git a/changes/bug6033 b/changes/bug6033 new file mode 100644 index 000000000..56cffd68b --- /dev/null +++ b/changes/bug6033 @@ -0,0 +1,6 @@ + o Major bugfixes: + - Work around a bug in OpenSSL that broke renegotiation with + TLS 1.1 and TLS 1.2. Without this workaround, all attempts + to speak the v2 Tor network protocol when both sides were + using OpenSSL 1.0.1 would fail. Fix for bug 6033, which is + not a bug in Tor. -- cgit v1.2.3