tor_tls_classify_client_ciphers() returns CIPHERS_UNRESTRICTED even if client sent old V2 cipher list and don't support all ciphers
tor_tls_classify_client_ciphers() returns CIPHERS_UNRESTRICTED even if CIPHERS_V2 should be returned.
After prune v2_cipher_list to remove the ciphers server side don't recognize it will remove at least 0xfeff
that is SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA.
So v2_cipher_list ends:
...
0xc003, /* TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA /
0x000a, / SSL3_TXT_RSA_DES_192_CBC3_SHA */
While peer sent cipher list that ends: ... 0xc003, /* TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA / 0xfeff, / SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA / 0x000a, / SSL3_TXT_RSA_DES_192_CBC3_SHA */
const uint16_t *v2_cipher = v2_cipher_list;
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
uint16_t id = cipher->id & 0xffff;
if (id == 0x00ff) /* extended renegotiation indicator. */
continue;
if (!id || id != *v2_cipher) {
res = CIPHERS_UNRESTRICTED;
goto dump_ciphers;
Then 0xfeff (from peer_ciphers) != 0x000a (from pruned list)