Opened 7 years ago

Closed 7 years ago

#7200 closed project (implemented)

Implement restored semantics of TLS ClientHello

Reported by: karsten Owned by:
Priority: Medium Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: SponsorZ tor-relay
Cc: andrea, nickm, mikeperry Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Proposal 198 restored semantics of TLS ClientHello. Nick suggests we should implement it, if possible in 2012. Nick suggests Andrea as tech lead for this project.

Child Tickets

Change History (9)

comment:1 Changed 7 years ago by nickm

Keywords: tor-relay added
Milestone: Tor: 0.2.4.x-final

comment:2 Changed 7 years ago by mikeperry

Cc: mikeperry added

comment:3 Changed 7 years ago by nickm

Status: newneeds_review

Wow, that was easy so far. See branch tls_echde in my public repository. I've tested it on a mixed network with some 0.2.2 clients. Still need to test with v2 servers. Looks like a promising start though.

comment:4 Changed 7 years ago by nickm

If agl's numbers are right, P224 would be much faster than P256, and secure enough for us. But before we get too deep there, we need to check what (if anything) our choice of curve will do to fingerprintability here, or whether our choice of ECDHE ciphers at all will make us fingerprintable. In the latter case, maybe bridges should disable them by default when not using a pluggable transport.

comment:5 Changed 7 years ago by nickm

Talked with arma ; he thinks "just go with p224" might be a good idea.

We need to make sure that when we do this, we tell everybody with a 64-bit system to make sure their openssl is 1.0.1, built with "enable-ec_nistp_64_gcc_128" -- that's where the big performance boost is.

comment:6 Changed 7 years ago by nickm

(FWIW, the enable-ec_nistp_64_gcc_128 option seems to make P224 about 2x faster and P256 about 1.6X faster.)

comment:7 Changed 7 years ago by andrea

I think this all looks okay to merge to me; you should explain to me how all this clients lying about ciphers to avoid fingerprinting business works to me someday, though, I think.

comment:8 Changed 7 years ago by nickm

Okay, I rebased into tls_ecdhe_rebased, add a few more commits (cleanups, p244, configurable group, detect missing enable-ec_nistp_64_gcc_128), squashed again into tls_ecdhe_rebased_v2.

comment:9 Changed 7 years ago by nickm

Resolution: implemented
Status: needs_reviewclosed

Joyeux Noël. Merged onto master.

Note: See TracTickets for help on using tickets.