tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit 7d93e2100f073c12159935dae2c217b18592e0aa
parent 49fd1240c25b76e1ee6e996b63968e95ef5a870c
Author: Nick Mathewson <nickm@torproject.org>
Date:   Tue,  6 May 2025 10:08:43 -0400

Update client cipher list to match current firefox

(Shelikhoo says that this countermeasure is still likely to be
helpful for some users, and so we might as well keep it.)

Diffstat:

Mchanges/ticket41067 | 2++


Msrc/lib/tls/ciphers.inc | 19++++++-------------


2 files changed, 8 insertions(+), 13 deletions(-)

diff --git a/changes/ticket41067 b/changes/ticket41067
@@ -1,3 +1,5 @@
   o Minor features (security):
     - Require TLS version 1.2 or later.  (Version 1.3 support will
       be required in the near future.)  Part of ticket 41067.
+    - Update TLS 1.2 client cipher list to match current Firefox.
+      Part of ticket 41067.
diff --git a/src/lib/tls/ciphers.inc b/src/lib/tls/ciphers.inc
@@ -4,8 +4,6 @@
  *
  * This file was automatically generated by get_mozilla_ciphers.py.
  */
-
-/* Here's the machine-generated list. */
 #ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
     CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
 #else
@@ -56,15 +54,15 @@
 #else
    XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
 #endif
-#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
-    CIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
+#ifdef TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256
+    CIPHER(0x009c, TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256)
 #else
-   XCIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
+   XCIPHER(0x009c, TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256)
 #endif
-#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
-    CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
+#ifdef TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384
+    CIPHER(0x009d, TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384)
 #else
-   XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
+   XCIPHER(0x009d, TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384)
 #endif
 #ifdef TLS1_TXT_RSA_WITH_AES_128_SHA
     CIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
@@ -76,8 +74,3 @@
 #else
    XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
 #endif
-#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA
-    CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
-#else
-   XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
-#endif