From: Nick Mathewson Date: Wed, 7 Oct 2015 14:16:37 +0000 (-0400) Subject: Remove workaround code for broken client-side renegotiation X-Git-Tag: tor-0.2.8.1-alpha~240^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5bd3290df3254e6ffb3ac80150f8c8217fd0ac66;p=thirdparty%2Ftor.git Remove workaround code for broken client-side renegotiation Since 11150 removed client-side support for renegotiation, we no longer need to make sure we have an openssl/TLSvX combination that supports it (client-side) --- diff --git a/src/common/tortls.c b/src/common/tortls.c index 4321330708..86f48a45dd 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1124,23 +1124,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, * historically been chosen for fingerprinting resistance. */ SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); - /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to - * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 - * June 2012), wherein renegotiating while using one of these TLS - * protocols will cause the client to send a TLS 1.0 ServerHello - * rather than a ServerHello written with the appropriate protocol - * version. Once some version of OpenSSL does TLS1.1 and TLS1.2 - * renegotiation properly, we can turn them back on when built with - * that version. */ -#if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,1,'e') -#ifdef SSL_OP_NO_TLSv1_2 - SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2); -#endif -#ifdef SSL_OP_NO_TLSv1_1 - SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1); -#endif -#endif - /* Disable TLS tickets if they're supported. We never want to use them; * using them can make our perfect forward secrecy a little worse, *and* * create an opportunity to fingerprint us (since it's unusual to use them