Change servers to never pick 3DES.

Closes ticket 19998.

diff --git a/changes/bug19998 b/changes/bug19998
new file mode 100644 (file)
index 0000000..d01589d
--- /dev/null
+++ b/changes/bug19998
@@ -0,0 +1,6 @@
+  o Minor features (security, TLS):
+    - Servers no longer support clients that do not provide AES
+      ciphersuites. (3DES is no longer considered an acceptable
+      cipher.) We believe that no such clients currently exist,
+      since we have required OpenSSL 0.9.7 or later since 2009.
+      Closes ticket 19998.

diff --git a/src/common/tortls.c b/src/common/tortls.c
index 23889be259a0adf824f2d0d8270583d77b6dca71..cf3c8ab5482acb6632b8e72a7680ba651e2d226a 100644 (file)
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -552,8 +552,7 @@ MOCK_IMPL(STATIC X509 *,
  * claiming extra unsupported ciphers in order to avoid fingerprinting.  */
 #define SERVER_CIPHER_LIST                         \
   (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"           \
-   TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"           \
-   SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
+   TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
 
 /** List of ciphers that servers should select from when we actually have
  * our choice of what cipher to use. */
@@ -593,12 +592,8 @@ static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
        /* Required */
        TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
        /* Required */
-       TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
-       TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":"
-#endif
-       /* Required */
-       SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
+       TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
+       ;
 
 /* Note: to set up your own private testing network with link crypto
  * disabled, set your Tors' cipher list to