Backport r15821 to 0.2.0: Disallow session resumption during renegotiation.
svn:r16725
This commit is contained in:
parent
8cf2773aa7
commit
278a89d75a
|
@ -17,6 +17,11 @@ Changes in version 0.2.0.31 - 2008-08-??
|
|||
an alias for the actually-working --with-openssl-dir option. Fix the
|
||||
help documentation to recommend --with-openssl-dir. Based on a patch
|
||||
by "Dave". Bugfix on 0.2.0.1-alpha.
|
||||
- Disallow session resumption attempts during the renegotiation
|
||||
stage of the v2 handshake protocol. Clients should never be
|
||||
trying session resumption at this point, but apparently some
|
||||
did, in ways that caused the handshake to fail. Bugfix on
|
||||
0.2.0.20-rc. Bug found by Geoff Goodell.
|
||||
|
||||
|
||||
Changes in version 0.2.0.30 - 2008-07-15
|
||||
|
|
|
@ -3,13 +3,13 @@
|
|||
description of the patch.)
|
||||
|
||||
Backport items for 0.2.0:
|
||||
- r14247: tor-spec and dir-spec updates [just backport the whole files]
|
||||
X r14247: tor-spec and dir-spec updates [just backport the whole files]
|
||||
|
||||
Backport for 0.2.0 once better tested:
|
||||
d r14830: disable openssl compression.
|
||||
- r15699,15700: react quickly to readiness of rendezvous circuits.
|
||||
- r15821: fix bug related to TLS session negotiation.
|
||||
- r16136: prevent circid collision. [Also backport to 0.1.2.x??]
|
||||
o r15821: fix bug related to TLS session negotiation.
|
||||
o r16136: prevent circid collision. [Also backport to 0.1.2.x??]
|
||||
- r16143: generate stream close events from connection_edge_destroy().
|
||||
- r16450: open /dev/pf before dropping privileges.
|
||||
- r16605: relays reject risky extend cells.
|
||||
|
|
|
@ -564,6 +564,11 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
|
|||
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
|
||||
#endif
|
||||
SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
|
||||
|
||||
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
|
||||
SSL_CTX_set_options(result->ctx,
|
||||
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
|
||||
#endif
|
||||
if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
|
||||
goto error;
|
||||
X509_free(cert); /* We just added a reference to cert. */
|
||||
|
|
Loading…
Reference in New Issue