summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoger Dingledine <arma@torproject.org>2011-09-13 18:27:13 -0400
committerRoger Dingledine <arma@torproject.org>2011-09-13 18:27:13 -0400
commit4a351b4b9ebfadf27d68e6bb3e1470cdef83ef45 (patch)
treedef7db8677a35c9638109aa4bd0429231e5c4445
parentd679ef623fc912a25f0d1c36ad187d7bdca0a440 (diff)
parent62ec584a3014b9b9333dcc6feb4989d1592d6d26 (diff)
downloadtor-4a351b4b9ebfadf27d68e6bb3e1470cdef83ef45.tar.gz
tor-4a351b4b9ebfadf27d68e6bb3e1470cdef83ef45.zip
Merge branch 'maint-0.2.1' into maint-0.2.2
Conflicts: src/or/main.c src/or/router.c
-rw-r--r--changes/bug40143
-rw-r--r--src/or/main.c7
-rw-r--r--src/or/or.h4
-rw-r--r--src/or/router.c4
4 files changed, 12 insertions, 6 deletions
diff --git a/changes/bug4014 b/changes/bug4014
new file mode 100644
index 0000000000..9c20c6c337
--- /dev/null
+++ b/changes/bug4014
@@ -0,0 +1,3 @@
+ o Minor features:
+ - Adjust the expiration time on our SSL session certificates to
+ better match SSL certs seen in the wild. Resolves ticket 4014.
diff --git a/src/or/main.c b/src/or/main.c
index bc639dbdd8..289d805503 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -940,15 +940,16 @@ run_scheduled_events(time_t now)
if (options->UseBridges)
fetch_bridge_descriptors(options, now);
- /** 1b. Every MAX_SSL_KEY_LIFETIME seconds, we change our TLS context. */
+ /** 1b. Every MAX_SSL_KEY_LIFETIME_INTERNAL seconds, we change our
+ * TLS context. */
if (!last_rotated_x509_certificate)
last_rotated_x509_certificate = now;
- if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME < now) {
+ if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME_INTERNAL < now) {
log_info(LD_GENERAL,"Rotating tls context.");
if (tor_tls_context_init(public_server_mode(options),
get_tlsclient_identity_key(),
is_server ? get_server_identity_key() : NULL,
- MAX_SSL_KEY_LIFETIME) < 0) {
+ MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
log_warn(LD_BUG, "Error reinitializing TLS context");
/* XXX is it a bug here, that we just keep going? -RD */
}
diff --git a/src/or/or.h b/src/or/or.h
index a2f4083752..31deb897c7 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -163,7 +163,9 @@
/** How often do we rotate onion keys? */
#define MIN_ONION_KEY_LIFETIME (7*24*60*60)
/** How often do we rotate TLS contexts? */
-#define MAX_SSL_KEY_LIFETIME (2*60*60)
+#define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60)
+/** What expiry time shall we place on our SSL certs? */
+#define MAX_SSL_KEY_LIFETIME_ADVERTISED (365*24*60*60)
/** How old do we allow a router to get before removing it
* from the router list? In seconds. */
diff --git a/src/or/router.c b/src/or/router.c
index 2165e6ea90..365e888af9 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -526,7 +526,7 @@ init_keys(void)
if (tor_tls_context_init(0,
get_tlsclient_identity_key(),
NULL,
- MAX_SSL_KEY_LIFETIME) < 0) {
+ MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
return -1;
}
@@ -622,7 +622,7 @@ init_keys(void)
if (tor_tls_context_init(public_server_mode(options),
get_tlsclient_identity_key(),
get_server_identity_key(),
- MAX_SSL_KEY_LIFETIME) < 0) {
+ MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
log_err(LD_GENERAL,"Error initializing TLS context");
return -1;
}