From: dzwdz <not@dzwdz.net>
Date: Mon, 29 Sep 2025 18:15:19 +0000 (+0200)
Subject: Reorder TLS group preferences to work around LibreSSL bug
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fmerge-requests%2F936%2Fhead;p=thirdparty%2Ftor.git

Reorder TLS group preferences to work around LibreSSL bug
---

diff --git a/changes/bug41134 b/changes/bug41134
new file mode 100644
index 0000000000..861dfb575f
--- /dev/null
+++ b/changes/bug41134
@@ -0,0 +1,3 @@
+  o Major bugfixes (client, TLS):
+    - Fix some clients not being able to connect to LibreSSL relays.
+      Fixes bug 41134; bugfix on 0.4.8.17
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
index 5654f7f654..bc699efd16 100644
--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@ -696,14 +696,17 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
       // that supports ML-KEM also supports the ? syntax.
       // We also use the * and / syntaxes:
       //   '*' indicates that the client should send these keyshares.
-      //   "/" means that we should consider a set of of groups
-      //   as equivalently secure.
+      //   "/" separates tuples of groups that are "comparably secure".
       //
       // Note that we tell the client to send a P-256 keyshare, since until
       // this commit, our servers didn't accept X25519.
+      //
+      // Also note that until the upstream LibreSSL bug from tor#41134 gets
+      // fixed, the order of groups common between each preference list must
+      // be the same. We can't prefer P-256 in one, and X25519 in another.
       {
         OPENSSL_V_SERIES(3,5,0),
-        "?*X25519MLKEM768 / ?SecP256r1MLKEM768:?X25519 / *P-256:P-224"
+        "?*X25519MLKEM768 / ?SecP256r1MLKEM768 / *P-256:?X25519:P-224"
       },
       { 0, "P-256:X25519:P-224" },
       { 0, "P-256:P-224" },