From 3a2d677fa70be56054dcabb43a88cab75500e162 Mon Sep 17 00:00:00 2001 From: Martin Peck Date: Fri, 4 Dec 2009 14:25:08 -0500 Subject: Improved workaround for disabled OpenSSL renegotiation. It turns out that OpenSSL 0.9.8m is likely to take a completely different approach for reenabling renegotiation than OpenSSL 0.9.8l did, so we need to work with both. :p Fixes bug 1158. (patch by coderman; commit message by nickm) --- src/common/tortls.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'src/common') diff --git a/src/common/tortls.c b/src/common/tortls.c index bcc6780a65..5b323267c1 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -565,6 +565,18 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_CTX_set_options(result->ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); +#endif +#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + /* Yes, we know what we are doing here. No, we do not treat a renegotiation + * as authenticating any earlier-received data. + * + * (OpenSSL 0.9.8l introdeced SSL3_FLAGS_ALLOW_UNSAGE_LEGACY_RENEGOTIATION + * here. OpenSSL 0.9.8m thoughtfully turned it into an option and (it + * seems) broke anything that used SSL3_FLAGS_* for the purpose. So we need + * to do both.) + */ + SSL_CTX_set_options(result->ctx, + SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); #endif /* Don't actually allow compression; it uses ram and time, but the data * we transmit is all encrypted anyway. */ -- cgit v1.2.3-54-g00ecf