diff options
| author | Roger Dingledine <arma@torproject.org> | 2011-09-13 18:27:13 -0400 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2011-09-13 18:27:13 -0400 |
| commit | 4a351b4b9ebfadf27d68e6bb3e1470cdef83ef45 (patch) | |
| tree | def7db8677a35c9638109aa4bd0429231e5c4445 | |
| parent | d679ef623fc912a25f0d1c36ad187d7bdca0a440 (diff) | |
| parent | 62ec584a3014b9b9333dcc6feb4989d1592d6d26 (diff) | |
| download | tor-4a351b4b9ebfadf27d68e6bb3e1470cdef83ef45.tar.gz tor-4a351b4b9ebfadf27d68e6bb3e1470cdef83ef45.zip | |
Merge branch 'maint-0.2.1' into maint-0.2.2
Conflicts:
src/or/main.c
src/or/router.c
| -rw-r--r-- | changes/bug4014 | 3 | ||||
| -rw-r--r-- | src/or/main.c | 7 | ||||
| -rw-r--r-- | src/or/or.h | 4 | ||||
| -rw-r--r-- | src/or/router.c | 4 |
4 files changed, 12 insertions, 6 deletions
diff --git a/changes/bug4014 b/changes/bug4014 new file mode 100644 index 0000000000..9c20c6c337 --- /dev/null +++ b/changes/bug4014 @@ -0,0 +1,3 @@ + o Minor features: + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. diff --git a/src/or/main.c b/src/or/main.c index bc639dbdd8..289d805503 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -940,15 +940,16 @@ run_scheduled_events(time_t now) if (options->UseBridges) fetch_bridge_descriptors(options, now); - /** 1b. Every MAX_SSL_KEY_LIFETIME seconds, we change our TLS context. */ + /** 1b. Every MAX_SSL_KEY_LIFETIME_INTERNAL seconds, we change our + * TLS context. */ if (!last_rotated_x509_certificate) last_rotated_x509_certificate = now; - if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME < now) { + if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME_INTERNAL < now) { log_info(LD_GENERAL,"Rotating tls context."); if (tor_tls_context_init(public_server_mode(options), get_tlsclient_identity_key(), is_server ? get_server_identity_key() : NULL, - MAX_SSL_KEY_LIFETIME) < 0) { + MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) { log_warn(LD_BUG, "Error reinitializing TLS context"); /* XXX is it a bug here, that we just keep going? -RD */ } diff --git a/src/or/or.h b/src/or/or.h index a2f4083752..31deb897c7 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -163,7 +163,9 @@ /** How often do we rotate onion keys? */ #define MIN_ONION_KEY_LIFETIME (7*24*60*60) /** How often do we rotate TLS contexts? */ -#define MAX_SSL_KEY_LIFETIME (2*60*60) +#define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60) +/** What expiry time shall we place on our SSL certs? */ +#define MAX_SSL_KEY_LIFETIME_ADVERTISED (365*24*60*60) /** How old do we allow a router to get before removing it * from the router list? In seconds. */ diff --git a/src/or/router.c b/src/or/router.c index 2165e6ea90..365e888af9 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -526,7 +526,7 @@ init_keys(void) if (tor_tls_context_init(0, get_tlsclient_identity_key(), NULL, - MAX_SSL_KEY_LIFETIME) < 0) { + MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) { log_err(LD_GENERAL,"Error creating TLS context for Tor client."); return -1; } @@ -622,7 +622,7 @@ init_keys(void) if (tor_tls_context_init(public_server_mode(options), get_tlsclient_identity_key(), get_server_identity_key(), - MAX_SSL_KEY_LIFETIME) < 0) { + MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) { log_err(LD_GENERAL,"Error initializing TLS context"); return -1; } |