From ad763a336cb3655151383172bcfa658870ad8950 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 13 Aug 2013 23:43:39 -0400 Subject: Re-enable TLS 1.[12] when building with OpenSSL >= 1.0.1e To fix #6033, we disabled TLS 1.1 and 1.2. Eventually, OpenSSL fixed the bug behind #6033. I've considered alternate implementations that do more testing to see if there's secretly an OpenSSL 1.0.1c or something that secretly has a backport of the OpenSSL 1.0.1e fix, and decided against it on the grounds of complexity. --- src/common/tortls.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src') diff --git a/src/common/tortls.c b/src/common/tortls.c index b7e5bc1a5..90ebb755f 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1269,12 +1269,15 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, * version. Once some version of OpenSSL does TLS1.1 and TLS1.2 * renegotiation properly, we can turn them back on when built with * that version. */ +#if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,1,'e') #ifdef SSL_OP_NO_TLSv1_2 SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2); #endif #ifdef SSL_OP_NO_TLSv1_1 SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1); #endif +#endif + /* Disable TLS tickets if they're supported. We never want to use them; * using them can make our perfect forward secrecy a little worse, *and* * create an opportunity to fingerprint us (since it's unusual to use them -- cgit v1.2.3