Fix comment about TLSv1_method() per comments by wanoskarnet

author Nick Mathewson <nickm@torproject.org>

Mon, 9 Jan 2012 21:40:21 +0000 (16:40 -0500)

committer Nick Mathewson <nickm@torproject.org>

Mon, 9 Jan 2012 21:40:21 +0000 (16:40 -0500)
author Nick Mathewson <nickm@torproject.org>
Mon, 9 Jan 2012 21:40:21 +0000 (16:40 -0500)
committer Nick Mathewson <nickm@torproject.org>
Mon, 9 Jan 2012 21:40:21 +0000 (16:40 -0500)
diff --git a/src/common/tortls.c b/src/common/tortls.c

index 37074decfdf19e5b6dbe6cf0470dab8a28cfa845..f7a15b0b2ac966487e3597e0d3bf7f199f70c4c3 100644 (file)
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -777,15 +777,10 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime,
    }
  
  #if 0
-  /* Tell OpenSSL to only use TLS1. This would actually break compatibility
-   * with clients that are configured to use SSLv23_method(), so we should
-   * probably never use it.
-   */
-  /* XXX wanoskarnet says this comment is bunk -- that even if we turn
-   * this line on, clients configured to use SSLv23 would still able to
-   * talk to us. But he also says it's ok to leave it out. I suggest we
-   * delete this whole clause (the one that's #if 0'ed out). I'll leave
-   * it in place until Nick expresses an opinion. -RD */
+  /* Tell OpenSSL to only use TLS1.  This may have subtly different results
+   * from SSLv23_method() with SSLv2 and SSLv3 disabled, so we need to do some
+   * investigation before we consider adjusting it. It should be compatible
+   * with existing Tors. */
    if (!(result->ctx = SSL_CTX_new(TLSv1_method())))
      goto error;
  #endif
author	Nick Mathewson <nickm@torproject.org>
	Mon, 9 Jan 2012 21:40:21 +0000 (16:40 -0500)
committer	Nick Mathewson <nickm@torproject.org>
	Mon, 9 Jan 2012 21:40:21 +0000 (16:40 -0500)