diff --git a/ChangeLog b/ChangeLog index 17612b21d..cae003ffc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,11 @@ Changes in version 0.2.0.31 - 2008-08-?? an alias for the actually-working --with-openssl-dir option. Fix the help documentation to recommend --with-openssl-dir. Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha. + - Disallow session resumption attempts during the renegotiation + stage of the v2 handshake protocol. Clients should never be + trying session resumption at this point, but apparently some + did, in ways that caused the handshake to fail. Bugfix on + 0.2.0.20-rc. Bug found by Geoff Goodell. Changes in version 0.2.0.30 - 2008-07-15 diff --git a/doc/TODO.020 b/doc/TODO.020 index d19e983d4..4aa3eb839 100644 --- a/doc/TODO.020 +++ b/doc/TODO.020 @@ -3,13 +3,13 @@ description of the patch.) Backport items for 0.2.0: - - r14247: tor-spec and dir-spec updates [just backport the whole files] + X r14247: tor-spec and dir-spec updates [just backport the whole files] Backport for 0.2.0 once better tested: d r14830: disable openssl compression. - r15699,15700: react quickly to readiness of rendezvous circuits. - - r15821: fix bug related to TLS session negotiation. - - r16136: prevent circid collision. [Also backport to 0.1.2.x??] + o r15821: fix bug related to TLS session negotiation. + o r16136: prevent circid collision. [Also backport to 0.1.2.x??] - r16143: generate stream close events from connection_edge_destroy(). - r16450: open /dev/pf before dropping privileges. - r16605: relays reject risky extend cells. diff --git a/src/common/tortls.c b/src/common/tortls.c index 708e4c0f7..496fc9c39 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -564,6 +564,11 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); #endif SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE); + +#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + SSL_CTX_set_options(result->ctx, + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); +#endif if (cert && !SSL_CTX_use_certificate(result->ctx,cert)) goto error; X509_free(cert); /* We just added a reference to cert. */