Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4

diff --cc src/common/tortls.c
index c13b12fd4042cd14676e67e039af2e0658a8a3b1,11fe220e2dc7fe39b1f619563a6e94ec1993be09..4222f6dbffa597559c737e7b230afa17e2d75d8f
--- 1/src/common/tortls.c
--- 2/src/common/tortls.c
+++ b/src/common/tortls.c
@@@ -1276,11 -1180,8 +1276,12 @@@ tor_tls_context_new(crypto_pk_t *identi
    if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
      goto error;
    SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
+   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
  
 +  /* Prefer the server's ordering of ciphers: the client's ordering has
 +  * historically been chosen for fingerprinting resistance. */
 +  SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
 +
    /* Disable TLS1.1 and TLS1.2 if they exist.  We need to do this to
     * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
     * June 2012), wherein renegotiating while using one of these TLS
@@@ -1302,18 -1200,12 +1303,19 @@@
     * using them can make our perfect forward secrecy a little worse, *and*
     * create an opportunity to fingerprint us (since it's unusual to use them
     * with TLS sessions turned off).
 +   *
 +   * In 0.2.4, clients advertise support for them though, to avoid a TLS
 +   * distinguishability vector.  This can give us worse PFS, though, if we
 +   * get a server that doesn't set SSL_OP_NO_TICKET.  With luck, there will
 +   * be few such servers by the time 0.2.4 is more stable.
     */
  #ifdef SSL_OP_NO_TICKET
 -  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
 +  if (! is_client) {
 +    SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
 +  }
  #endif
  
+   /* XXX This block is now obsolete. */
    if (
  #ifdef DISABLE_SSL3_HANDSHAKE
        1 ||