diff options
| -rw-r--r-- | changes/bug5283 | 6 | ||||
| -rw-r--r-- | changes/bug6033 | 6 | ||||
| -rw-r--r-- | src/common/tortls.c | 15 | ||||
| -rw-r--r-- | src/or/circuituse.c | 8 |
4 files changed, 34 insertions, 1 deletions
diff --git a/changes/bug5283 b/changes/bug5283 new file mode 100644 index 0000000000..f0325cf26c --- /dev/null +++ b/changes/bug5283 @@ -0,0 +1,6 @@ + o Major bugfixes: + - Fix an edge case where if we fetch or publish a hidden service + descriptor, we might build a 4-hop circuit and then use that circuit + for exiting afterwards -- even if the new last hop doesn't obey our + ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha. + diff --git a/changes/bug6033 b/changes/bug6033 new file mode 100644 index 0000000000..56cffd68b7 --- /dev/null +++ b/changes/bug6033 @@ -0,0 +1,6 @@ + o Major bugfixes: + - Work around a bug in OpenSSL that broke renegotiation with + TLS 1.1 and TLS 1.2. Without this workaround, all attempts + to speak the v2 Tor network protocol when both sides were + using OpenSSL 1.0.1 would fail. Fix for bug 6033, which is + not a bug in Tor. diff --git a/src/common/tortls.c b/src/common/tortls.c index 4c9d2188d4..c6316120f9 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -790,6 +790,21 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime, goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); + /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to + * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 + * June 2012), wherein renegotiating while using one of these TLS + * protocols will cause the client to send a TLS 1.0 ServerHello + * rather than a ServerHello written with the appropriate protocol + * version. Once some version of OpenSSL does TLS1.1 and TLS1.2 + * renegotiation properly, we can turn them back on when built with + * that version. */ +#ifdef SSL_OP_NO_TLSv1_2 + SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2); +#endif +#ifdef SSL_OP_NO_TLSv1_1 + SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1); +#endif + if ( #ifdef DISABLE_SSL3_HANDSHAKE 1 || diff --git a/src/or/circuituse.c b/src/or/circuituse.c index 0ad8b3b51b..df33f63bb9 100644 --- a/src/or/circuituse.c +++ b/src/or/circuituse.c @@ -1229,7 +1229,13 @@ circuit_get_open_circ_or_launch(edge_connection_t *conn, need_uptime = !conn->want_onehop && !conn->use_begindir && smartlist_string_num_isin(options->LongLivedPorts, conn->socks_request->port); - need_internal = desired_circuit_purpose != CIRCUIT_PURPOSE_C_GENERAL; + + if (desired_circuit_purpose != CIRCUIT_PURPOSE_C_GENERAL) + need_internal = 1; + else if (conn->use_begindir || conn->want_onehop) + need_internal = 1; + else + need_internal = 0; circ = circuit_get_best(conn, 1, desired_circuit_purpose, need_uptime, need_internal); |