commit 8743080a289a20bfaf0a67d6382ba0c2a6d6534d
Author: Nick Mathewson <ni...@torproject.org>
Date:   Wed Oct 17 19:57:27 2012 -0400

    Disable TLS Session Tickets, which we were apparently getting for free
    
    OpenSSL 1.0.0 added an implementation of TLS session tickets, a
    "feature" that let session resumption occur without server-side state
    by giving clients an encrypted "ticket" that the client could present
    later to get the session going again with the same keys as before.
    OpenSSL was giving the keys to decrypt these tickets the lifetime of
    the SSL contexts, which would have been terrible for PFS if we had
    long-lived SSL contexts.  Fortunately, we don't.  Still, it's pretty
    bad.  We should also drop these, since our use of the extension stands
    out with our non-use of session cacheing.
    
    Found by nextgens. Bugfix on all versions of Tor when built with
    openssl 1.0.0 or later.  Fixes bug 7139.
---
 changes/bug7139     |    9 +++++++++
 src/common/tortls.c |    8 ++++++++
 2 files changed, 17 insertions(+), 0 deletions(-)

diff --git a/changes/bug7139 b/changes/bug7139
new file mode 100644
index 0000000..dfb7d32
--- /dev/null
+++ b/changes/bug7139
@@ -0,0 +1,9 @@
+  o Major bugfixes (security):
+
+    - Disable TLS session tickets.  OpenSSL's implementation were giving
+      our TLS session keys the lifetime of our TLS context objects, when
+      perfect forward secrecy would want us to discard anything that
+      could decrypt a link connection as soon as the link connection was
+      closed.  Fixes bug 7139; bugfix on all versions of Tor linked
+      against OpenSSL 1.0.0 or later. Found by "nextgens".
+
diff --git a/src/common/tortls.c b/src/common/tortls.c
index c631612..fc0bcb9 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -804,6 +804,14 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned 
int key_lifetime,
 #ifdef SSL_OP_NO_TLSv1_1
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
 #endif
+  /* Disable TLS tickets if they're supported.  We never want to use them;
+   * using them can make our perfect forward secrecy a little worse, *and*
+   * create an opportunity to fingerprint us (since it's unusual to use them
+   * with TLS sessions turned off).
+   */
+#ifdef SSL_OP_NO_TICKET
+  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
+#endif
 
   if (
 #ifdef DISABLE_SSL3_HANDSHAKE

_______________________________________________
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Reply via email to