diff options
| author | Roger Dingledine <arma@torproject.org> | 2011-09-13 18:32:00 -0400 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2011-09-13 18:32:00 -0400 |
| commit | 1fcaeb60924d155e80a9579588a1b6c31e2174f7 (patch) | |
| tree | 274aa165a9ade0fbf3b9b1ce940d2e91c531d96a | |
| parent | 1e1cc43b5723008dc6ec19188b1613c3682c36d3 (diff) | |
| parent | 4a351b4b9ebfadf27d68e6bb3e1470cdef83ef45 (diff) | |
| download | tor-1fcaeb60924d155e80a9579588a1b6c31e2174f7.tar.gz tor-1fcaeb60924d155e80a9579588a1b6c31e2174f7.zip | |
Merge branch 'maint-0.2.2'
| -rw-r--r-- | changes/bug4014 | 3 | ||||
| -rw-r--r-- | src/or/main.c | 7 | ||||
| -rw-r--r-- | src/or/or.h | 4 | ||||
| -rw-r--r-- | src/or/router.c | 4 |
4 files changed, 12 insertions, 6 deletions
diff --git a/changes/bug4014 b/changes/bug4014 new file mode 100644 index 0000000000..9c20c6c337 --- /dev/null +++ b/changes/bug4014 @@ -0,0 +1,3 @@ + o Minor features: + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. diff --git a/src/or/main.c b/src/or/main.c index af769c412b..ad5558e649 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -1152,15 +1152,16 @@ run_scheduled_events(time_t now) if (options->UseBridges) fetch_bridge_descriptors(options, now); - /** 1b. Every MAX_SSL_KEY_LIFETIME seconds, we change our TLS context. */ + /** 1b. Every MAX_SSL_KEY_LIFETIME_INTERNAL seconds, we change our + * TLS context. */ if (!last_rotated_x509_certificate) last_rotated_x509_certificate = now; - if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME < now) { + if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME_INTERNAL < now) { log_info(LD_GENERAL,"Rotating tls context."); if (tor_tls_context_init(public_server_mode(options), get_tlsclient_identity_key(), is_server ? get_server_identity_key() : NULL, - MAX_SSL_KEY_LIFETIME) < 0) { + MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) { log_warn(LD_BUG, "Error reinitializing TLS context"); /* XXX is it a bug here, that we just keep going? -RD */ } diff --git a/src/or/or.h b/src/or/or.h index 268e62fd8c..56f34fc4fe 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -174,7 +174,9 @@ /** How often do we rotate onion keys? */ #define MIN_ONION_KEY_LIFETIME (7*24*60*60) /** How often do we rotate TLS contexts? */ -#define MAX_SSL_KEY_LIFETIME (2*60*60) +#define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60) +/** What expiry time shall we place on our SSL certs? */ +#define MAX_SSL_KEY_LIFETIME_ADVERTISED (365*24*60*60) /** How old do we allow a router to get before removing it * from the router list? In seconds. */ diff --git a/src/or/router.c b/src/or/router.c index ba6648ba68..c9f141b7f0 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -533,7 +533,7 @@ init_keys(void) if (tor_tls_context_init(0, get_tlsclient_identity_key(), NULL, - MAX_SSL_KEY_LIFETIME) < 0) { + MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) { log_err(LD_GENERAL,"Error creating TLS context for Tor client."); return -1; } @@ -629,7 +629,7 @@ init_keys(void) if (tor_tls_context_init(public_server_mode(options), get_tlsclient_identity_key(), get_server_identity_key(), - MAX_SSL_KEY_LIFETIME) < 0) { + MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) { log_err(LD_GENERAL,"Error initializing TLS context"); return -1; } |