Remove attempt to override TLS 1.3 server ciphersuites

author Nick Mathewson <nickm@torproject.org>

Tue, 6 May 2025 13:01:37 +0000 (09:01 -0400)

committer Nick Mathewson <nickm@torproject.org>

Tue, 6 May 2025 14:51:07 +0000 (10:51 -0400)
author Nick Mathewson <nickm@torproject.org>
Tue, 6 May 2025 13:01:37 +0000 (09:01 -0400)
committer Nick Mathewson <nickm@torproject.org>
Tue, 6 May 2025 14:51:07 +0000 (10:51 -0400)
diff --git a/src/lib/tls/ciphers.inc b/src/lib/tls/ciphers.inc

index 0084b3e325009543b8fbaea9512067d1cadcd633..4361ad3892ea765e60aff2124ff18b8acaa2be3e 100644 (file)
--- a/src/lib/tls/ciphers.inc
+++ b/src/lib/tls/ciphers.inc
@@ -2,26 +2,9 @@
   * advertise.  Before including it, you should define the CIPHER and XCIPHER
   * macros.
   *
- * This file was automatically generated by get_mozilla_ciphers.py;
- * TLSv1.3 ciphers were added manually.
+ * This file was automatically generated by get_mozilla_ciphers.py.
   */
  
-/* Here are the TLS1.3 ciphers. Note that we don't have XCIPHER instances
- * here, since we don't want to ever fake them.
- */
-#ifdef TLS1_3_TXT_AES_128_GCM_SHA256
-   CIPHER(0x1301, TLS1_3_TXT_AES_128_GCM_SHA256)
-#endif
-#ifdef TLS1_3_TXT_AES_256_GCM_SHA384
-   CIPHER(0x1302, TLS1_3_TXT_AES_256_GCM_SHA384)
-#endif
-#ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256
-   CIPHER(0x1303, TLS1_3_TXT_CHACHA20_POLY1305_SHA256)
-#endif
-#ifdef TLS1_3_TXT_AES_128_CCM_SHA256
-   CIPHER(0x1304, TLS1_3_TXT_AES_128_CCM_SHA256)
-#endif
-
  /* Here's the machine-generated list. */
  #ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c

index 3e6948f9924263c24c3a8943d79477a90f8970c3..1068cc10f194adf106d1c05d3a41c4e5f7c8253c 100644 (file)
--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@ -348,23 +348,8 @@ always_accept_verify_cb(int preverify_ok,
    return 1;
  }
  
-/** List of ciphers that servers should select from when we actually have
- * our choice of what cipher to use. */
-static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
-  /* Here are the TLS 1.3 ciphers we like, in the order we prefer. */
-#ifdef TLS1_3_TXT_AES_256_GCM_SHA384
-  TLS1_3_TXT_AES_256_GCM_SHA384 ":"
-#endif
-#ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256
-  TLS1_3_TXT_CHACHA20_POLY1305_SHA256 ":"
-#endif
-#ifdef TLS1_3_TXT_AES_128_GCM_SHA256
-  TLS1_3_TXT_AES_128_GCM_SHA256 ":"
-#endif
-#ifdef TLS1_3_TXT_AES_128_CCM_SHA256
-  TLS1_3_TXT_AES_128_CCM_SHA256 ":"
-#endif
-
+/** List of ciphers that servers should select from when using TLS 1.2 */
+static const char UNRESTRICTED_TLS1_2_SERVER_CIPHER_LIST[] =
    /* This list is autogenerated with the gen_server_ciphers.py script;
     * don't hand-edit it. */
  #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
@@ -731,7 +716,7 @@ tor_tls_new(tor_socket_t sock, int isServer)
  #endif /* defined(SSL_CTRL_SET_MAX_PROTO_VERSION) */
  
    if (!SSL_set_cipher_list(result->ssl,
-                           isServer ? UNRESTRICTED_SERVER_CIPHER_LIST
+                           isServer ? UNRESTRICTED_TLS1_2_SERVER_CIPHER_LIST
                                      : CLIENT_CIPHER_LIST)) {
      tls_log_errors(NULL, LOG_WARN, LD_NET, "setting ciphers");
  #ifdef SSL_set_tlsext_host_name
@@ -741,6 +726,7 @@ tor_tls_new(tor_socket_t sock, int isServer)
      tor_free(result);
      goto err;
    }
+
    result->socket = sock;
    bio = BIO_new_socket(sock, BIO_CLOSE);
    if (! bio) {
author	Nick Mathewson <nickm@torproject.org>
	Tue, 6 May 2025 13:01:37 +0000 (09:01 -0400)
committer	Nick Mathewson <nickm@torproject.org>
	Tue, 6 May 2025 14:51:07 +0000 (10:51 -0400)
src/lib/tls/ciphers.inc		patch \| blob \| blame \| history
src/lib/tls/tortls_openssl.c		patch \| blob \| blame \| history