Change changes file and comment for 7189, for making it 0.2.4-only for now

diff --git a/changes/bug7189_server_only b/changes/bug7189_server_only
index 6c2462141e8d09adc222ec09f99106858e88dc6d..9ad5ad9ab9a4d1210eb9122acf369d07b9b59cbb 100644 (file)
--- a/changes/bug7189_server_only
+++ b/changes/bug7189_server_only
@@ -1,5 +1,4 @@
   o Minor bugfixes:
     - Only disable TLS session ticket support when running as a TLS
-      server.  It's important for clients to remain hard to distinguish
-      from regular firefox connections. Fixes bug 7189; bugfix on
-      Tor 0.2.3.23-rc.
+      server. This keeps clients harder to distinguish from regular firefox
+      connections. Fixes bug 7189; bugfix on Tor 0.2.3.23-rc.

diff --git a/src/common/tortls.c b/src/common/tortls.c
index 3bb05814631e0d33e0303d510e639c673ed39aa2..1b7b544f364c6b575a0ee1414d63f6c948046af9 100644 (file)
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1193,8 +1193,12 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
   /* Disable TLS tickets if they're supported.  We never want to use them;
    * using them can make our perfect forward secrecy a little worse, *and*
    * create an opportunity to fingerprint us (since it's unusual to use them
-   * with TLS sessions turned off).  Clients need to advertise support for
-   * them, though to avoid a TLS distinguishability vector.
+   * with TLS sessions turned off).
+   *
+   * In 0.2.4, clients advertise support for them, though to avoid a TLS
+   * distinguishability vector.  This can give us worse PFS, though, if we
+   * get a server that doesn't set SSL_OP_NO_TICKET.  With luck, there will
+   * be few such servers by the time 0.2.4 is more stable.
    */
 #ifdef SSL_OP_NO_TICKET
   if (! is_client) {