diff options
| author | Nick Mathewson <nickm@torproject.org> | 2008-09-01 22:00:07 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2008-09-01 22:00:07 +0000 |
| commit | 278a89d75a8b9d2b69373bc7e59dfdda996965cc (patch) | |
| tree | 6874e01bfbf3485ebafa3ad273e113648d1da654 | |
| parent | 8cf2773aa761670dedf2c2f4a99cc34999d830a5 (diff) | |
| download | tor-278a89d75a8b9d2b69373bc7e59dfdda996965cc.tar.gz tor-278a89d75a8b9d2b69373bc7e59dfdda996965cc.zip | |
Backport r15821 to 0.2.0: Disallow session resumption during renegotiation.
svn:r16725
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | doc/TODO.020 | 6 | ||||
| -rw-r--r-- | src/common/tortls.c | 5 |
3 files changed, 13 insertions, 3 deletions
@@ -17,6 +17,11 @@ Changes in version 0.2.0.31 - 2008-08-?? an alias for the actually-working --with-openssl-dir option. Fix the help documentation to recommend --with-openssl-dir. Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha. + - Disallow session resumption attempts during the renegotiation + stage of the v2 handshake protocol. Clients should never be + trying session resumption at this point, but apparently some + did, in ways that caused the handshake to fail. Bugfix on + 0.2.0.20-rc. Bug found by Geoff Goodell. Changes in version 0.2.0.30 - 2008-07-15 diff --git a/doc/TODO.020 b/doc/TODO.020 index d19e983d45..4aa3eb839b 100644 --- a/doc/TODO.020 +++ b/doc/TODO.020 @@ -3,13 +3,13 @@ description of the patch.) Backport items for 0.2.0: - - r14247: tor-spec and dir-spec updates [just backport the whole files] + X r14247: tor-spec and dir-spec updates [just backport the whole files] Backport for 0.2.0 once better tested: d r14830: disable openssl compression. - r15699,15700: react quickly to readiness of rendezvous circuits. - - r15821: fix bug related to TLS session negotiation. - - r16136: prevent circid collision. [Also backport to 0.1.2.x??] + o r15821: fix bug related to TLS session negotiation. + o r16136: prevent circid collision. [Also backport to 0.1.2.x??] - r16143: generate stream close events from connection_edge_destroy(). - r16450: open /dev/pf before dropping privileges. - r16605: relays reject risky extend cells. diff --git a/src/common/tortls.c b/src/common/tortls.c index 708e4c0f79..496fc9c393 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -564,6 +564,11 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); #endif SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE); + +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + SSL_CTX_set_options(result->ctx, + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); +#endif if (cert && !SSL_CTX_use_certificate(result->ctx,cert)) goto error; X509_free(cert); /* We just added a reference to cert. */ |