From 2945945473bc3b0429c6528bc502c8304992fb1e Mon Sep 17 00:00:00 2001 From: dzwdz Date: Mon, 29 Sep 2025 20:15:19 +0200 Subject: [PATCH] Reorder TLS group preferences to work around LibreSSL bug --- changes/bug41134 | 3 +++ src/lib/tls/tortls_openssl.c | 9 ++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 changes/bug41134 diff --git a/changes/bug41134 b/changes/bug41134 new file mode 100644 index 0000000000..861dfb575f --- /dev/null +++ b/changes/bug41134 @@ -0,0 +1,3 @@ + o Major bugfixes (client, TLS): + - Fix some clients not being able to connect to LibreSSL relays. + Fixes bug 41134; bugfix on 0.4.8.17 diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c index 5654f7f654..bc699efd16 100644 --- a/src/lib/tls/tortls_openssl.c +++ b/src/lib/tls/tortls_openssl.c @@ -696,14 +696,17 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, // that supports ML-KEM also supports the ? syntax. // We also use the * and / syntaxes: // '*' indicates that the client should send these keyshares. - // "/" means that we should consider a set of of groups - // as equivalently secure. + // "/" separates tuples of groups that are "comparably secure". // // Note that we tell the client to send a P-256 keyshare, since until // this commit, our servers didn't accept X25519. + // + // Also note that until the upstream LibreSSL bug from tor#41134 gets + // fixed, the order of groups common between each preference list must + // be the same. We can't prefer P-256 in one, and X25519 in another. { OPENSSL_V_SERIES(3,5,0), - "?*X25519MLKEM768 / ?SecP256r1MLKEM768:?X25519 / *P-256:P-224" + "?*X25519MLKEM768 / ?SecP256r1MLKEM768 / *P-256:?X25519:P-224" }, { 0, "P-256:X25519:P-224" }, { 0, "P-256:P-224" }, -- 2.47.3