From e861b3be88160b36ee21a9ea7e2faff5047635f5 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 17 Feb 2010 23:55:03 -0500 Subject: Even more conservative option-setting for SSL renegotiation. This time, set the SSL3_FLAGS_ALLOW_UNSAFE_RENEGOTIATION flag on every version before OpenSSL 0.9.8l. I can confirm that the option value (0x0010) wasn't reused until OpenSSL 1.0.0beta3. --- src/common/tortls.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index f552f2162d..ddcb94ebe6 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -345,7 +345,7 @@ tor_tls_init(void) * OpenSSL 0.9.8l. * * No, we can't just set flag 0x0010 everywhere. It breaks Tor with - * OpenSSL 1.0.0beta, since i. No, we can't just set option + * OpenSSL 1.0.0beta3 and later. No, we can't just set option * 0x00040000L everywhere: before 0.9.8m, it meant something else. * * No, we can't simply detect whether the flag or the option is present @@ -358,7 +358,7 @@ tor_tls_init(void) */ if (version >= 0x009080c0L && version < 0x009080d0L) { log_notice(LD_GENERAL, "OpenSSL %s looks like version 0.9.8l; " - "I will try SSL3_FLAGS to enable renegotation.", + "I will try SSL3_FLAGS to enable renegotation.", SSLeay_version(SSLEAY_VERSION)); use_unsafe_renegotiation_flag = 1; use_unsafe_renegotiation_op = 1; @@ -367,6 +367,12 @@ tor_tls_init(void) "I will try SSL_OP to enable renegotiation", SSLeay_version(SSLEAY_VERSION)); use_unsafe_renegotiation_op = 1; + } else if (version < 0x009080c0L) { + log_notice(LD_GENERAL, "OpenSSL %s [%lx] looks like it's older than " + "0.9.8l, but some vendors have backported 0.9.8l's " + "renegotiation code to earlier versions. I'll set " + "SSL3_FLAGS just to be safe."); + use_unsafe_renegotiation_flag = 1; } else { log_info(LD_GENERAL, "OpenSSL %s has version %lx", SSLeay_version(SSLEAY_VERSION), version); -- cgit v1.2.3-54-g00ecf