From: Nick Mathewson Date: Tue, 6 May 2025 14:08:43 +0000 (-0400) Subject: Update client cipher list to match current firefox X-Git-Tag: tor-0.4.9.3-alpha~55^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7d93e2100f073c12159935dae2c217b18592e0aa;p=thirdparty%2Ftor.git Update client cipher list to match current firefox (Shelikhoo says that this countermeasure is still likely to be helpful for some users, and so we might as well keep it.) --- diff --git a/changes/ticket41067 b/changes/ticket41067 index 0baa74b078..d72442b8ce 100644 --- a/changes/ticket41067 +++ b/changes/ticket41067 @@ -1,3 +1,5 @@ o Minor features (security): - Require TLS version 1.2 or later. (Version 1.3 support will be required in the near future.) Part of ticket 41067. + - Update TLS 1.2 client cipher list to match current Firefox. + Part of ticket 41067. diff --git a/src/lib/tls/ciphers.inc b/src/lib/tls/ciphers.inc index 4361ad3892..882d9c6940 100644 --- a/src/lib/tls/ciphers.inc +++ b/src/lib/tls/ciphers.inc @@ -4,8 +4,6 @@ * * This file was automatically generated by get_mozilla_ciphers.py. */ - -/* Here's the machine-generated list. */ #ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) #else @@ -56,15 +54,15 @@ #else XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA) #endif -#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA - CIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) +#ifdef TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256 + CIPHER(0x009c, TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256) #else - XCIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) + XCIPHER(0x009c, TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256) #endif -#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA - CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) +#ifdef TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384 + CIPHER(0x009d, TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384) #else - XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) + XCIPHER(0x009d, TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384) #endif #ifdef TLS1_TXT_RSA_WITH_AES_128_SHA CIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA) @@ -76,8 +74,3 @@ #else XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA) #endif -#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA - CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA) -#else - XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA) -#endif