Opened 6 years ago

Closed 6 years ago

#11438 closed enhancement (fixed)

Update ciphers.inc to match ciphers from a recent firefox

Reported by: nickm Owned by:
Priority: Medium Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-client, 024-backport, nickm-backport-02422
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I hear that firefox has added a bunch of new ciphersuites since we last updated ciphers.inc. We should re-run get_mozilla_ciphers.py on the most recent stable firefox and openssl, to generate a new cipehrs.inc for Tor 0.2.5. We should fix get_mozilla_ciphers if it needs it; the code may have rotted a bit.

Child Tickets

Change History (8)

comment:1 Changed 6 years ago by nickm

Keywords: 024-backport added
Status: newneeds_review

Branch "update_ciphers_ff28" has patches against 0.2.4.

comment:2 Changed 6 years ago by nickm

(I have also manually compared this list against the list used by firefox 28)

comment:3 Changed 6 years ago by andrea

This looks okay by me.

comment:4 Changed 6 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: 0.2.4.x-final

Okay. merged to 0.2.5, marked for backport.

comment:5 Changed 6 years ago by nickm

Recommendation: backport along with other TLS ciphersuite improvements. Anything that can ever make users stick on DHE1024 instead of ECDHE is a security bug we should fix IMO

comment:6 Changed 6 years ago by nickm

Keywords: nickm-backport-02422 added

Adding a tag for tickets I think we should backport into 0.2.4.22. Omitting ones where I said "unsure"

comment:7 Changed 6 years ago by nickm

Current status: these involve very little change to our actual code, and have potential to improve security a great deal, while making more invasive backports (like #9386) less urgent. I am planning to merge them in 0.2.4.22

comment:8 Changed 6 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Merged into maint-0.2.4 for inclusion in 0.2.4.22

Note: See TracTickets for help on using tickets.