commit 1e46a391b3ef4dfc65044f900684368ea234c290
parent 9fcb3ef787285fcb116d07fc2ff563e80a0c8a0e
Author: Nick Mathewson <nickm@torproject.org>
Date: Fri, 7 Sep 2018 09:15:15 -0400
Merge branch 'ticket27344_029' into maint-0.2.9
Diffstat:
3 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/changes/bug27344 b/changes/bug27344
@@ -0,0 +1,4 @@
+ o Minor features (compatibility):
+ - Tell OpenSSL to maintain backward compatibility with previous
+ RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these ciphers
+ are disabled by default. Closes ticket 27344.
diff --git a/configure.ac b/configure.ac
@@ -678,6 +678,7 @@ AC_CHECK_FUNCS([ \
SSL_get_client_ciphers \
SSL_get_client_random \
SSL_CIPHER_find \
+ SSL_CTX_set_security_level \
TLS_method
])
diff --git a/src/common/tortls.c b/src/common/tortls.c
@@ -1130,6 +1130,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
goto error;
#endif
+#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+ /* Level 1 re-enables RSA1024 and DH1024 for compatibility with old tors */
+ SSL_CTX_set_security_level(result->ctx, 1);
+#endif
+
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
@@ -2555,4 +2560,3 @@ evaluate_ecgroup_for_tls(const char *ecgroup)
return ret;
}
-
