From edd6f02273c58bfe39a978dd5c7b8765aae0b886 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Sat, 9 Mar 2013 17:16:11 -0500 Subject: randomize SSLKeyLifetime by default resolves ticket 8443. --- src/or/config.c | 2 +- src/or/or.h | 3 ++- src/or/router.c | 4 ++++ 3 files changed, 7 insertions(+), 2 deletions(-) (limited to 'src/or') diff --git a/src/or/config.c b/src/or/config.c index b7613bdf92..15138f9d7b 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -380,7 +380,7 @@ static config_var_t option_vars_[] = { V(SocksPolicy, LINELIST, NULL), VPORT(SocksPort, LINELIST, NULL), V(SocksTimeout, INTERVAL, "2 minutes"), - V(SSLKeyLifetime, INTERVAL, "365 days"), + V(SSLKeyLifetime, INTERVAL, "0"), OBSOLETE("StatusFetchPeriod"), V(StrictNodes, BOOL, "0"), OBSOLETE("SysLog"), diff --git a/src/or/or.h b/src/or/or.h index a71468c1c6..c7d259853b 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -4008,7 +4008,8 @@ typedef struct { */ int DisableV2DirectoryInfo_; - /** What expiry time shall we place on our SSL certs? */ + /** What expiry time shall we place on our SSL certs? "0" means we + * should guess a suitable value. */ int SSLKeyLifetime; } or_options_t; diff --git a/src/or/router.c b/src/or/router.c index c9c35f6132..211366351b 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -659,6 +659,10 @@ router_initialize_tls_context(void) else if (!strcasecmp(options->TLSECGroup, "P224")) flags |= TOR_TLS_CTX_USE_ECDHE_P224; } + if (!lifetime) { /* we should guess a good ssl cert lifetime */ + /* choose between 1 and 365 days */ + lifetime = 1*24*3600 + crypto_rand_int(364*24*3600); + } /* It's ok to pass lifetime in as an unsigned int, since * config_parse_interval() checked it. */ -- cgit v1.2.3-54-g00ecf