r16194@catbus: nickm | 2007-10-26 18:37:02 -0400
Keep circuitless TLS connections open for 1.5 x MaxCircuitDirtiness: this ensures that we don't thrash closing and repoening connections to our guards. svn:r12218
This commit is contained in:
Nick Mathewson
parent
c9c9f581f6
commit
2c1d7cf674
|
|
@ -3,6 +3,12 @@ Changes in version 0.2.0.10-alpha - 2007-1?-??
|
||||||
- Drop support for OpenSSL version 0.9.6. Just about nobody was using
|
- Drop support for OpenSSL version 0.9.6. Just about nobody was using
|
||||||
it, it had no AES, and it hasn't seen any security patches since 2004.
|
it, it had no AES, and it hasn't seen any security patches since 2004.
|
||||||
|
|
||||||
|
o Minor features:
|
||||||
|
- Clients new hold circuitless TLS connections open for 1.5 times
|
||||||
|
MaxCircuitDirtiness, since it is likely that they'll need to build
|
||||||
|
a circuit over them within that timeframe. Previously, they held them
|
||||||
|
open only for KeepalivePeriod.
|
||||||
|
|
||||||
o Minor bugfixes:
|
o Minor bugfixes:
|
||||||
- Refuse to start if both ORPort and UseBridges are set. Bugfix
|
- Refuse to start if both ORPort and UseBridges are set. Bugfix
|
||||||
on 0.2.0.x.
|
on 0.2.0.x.
|
||||||
|
|
|
||||||
9
doc/TODO
9
doc/TODO
|
|
@ -23,9 +23,10 @@ Things we'd like to do in 0.2.0.x:
|
||||||
- Support for preconfigured mirror lists
|
- Support for preconfigured mirror lists
|
||||||
- Use a pre-shipped fallback consensus.
|
- Use a pre-shipped fallback consensus.
|
||||||
- Download consensuses (et al) via if-modified-since
|
- Download consensuses (et al) via if-modified-since
|
||||||
- Saner TLS rotation
|
o Saner TLS rotation
|
||||||
- Bump up the "connection timeout" value to be 1.5
|
o Bump up OR the "connection timeout" value to be 1.5
|
||||||
circuit dirtiness interval.
|
circuit dirtiness interval.
|
||||||
|
o Document this in tor-spec
|
||||||
- base Guard flag on WFU rather than or in addition to MTBF
|
- base Guard flag on WFU rather than or in addition to MTBF
|
||||||
D 118 if feasible and obvious
|
D 118 if feasible and obvious
|
||||||
D Maintain a skew estimate and use ftime consistently.
|
D Maintain a skew estimate and use ftime consistently.
|
||||||
|
|
@ -103,8 +104,8 @@ Things we'd like to do in 0.2.0.x:
|
||||||
- Handle rate-limiting on directory writes to linked directory
|
- Handle rate-limiting on directory writes to linked directory
|
||||||
connections in a more sensible manner.
|
connections in a more sensible manner.
|
||||||
- Find more ways to test this.
|
- Find more ways to test this.
|
||||||
- Have clients do TLS connection rotation less often than "every 10
|
o Do TLS rotation less often than "every 10 minutes" in the thrashy case.
|
||||||
minutes" in the thrashy case, and more often than "once a week" in the
|
D Do TLS connection rotation more often than "once a week" in the
|
||||||
extra-stable case.
|
extra-stable case.
|
||||||
- Streamline how we pick entry nodes: Make choose_random_entry() have
|
- Streamline how we pick entry nodes: Make choose_random_entry() have
|
||||||
less magic and less control logic.
|
less magic and less control logic.
|
||||||
|
|
|
||||||
|
|
@ -194,9 +194,12 @@ see tor-design.pdf.
|
||||||
of TLS records MUST NOT leak information about the type or contents
|
of TLS records MUST NOT leak information about the type or contents
|
||||||
of the cells.
|
of the cells.
|
||||||
|
|
||||||
TLS connections are not permanent. Either side may close a connection
|
TLS connections are not permanent. Either side MAY close a connection
|
||||||
if there are no circuits running over it and an amount of time
|
if there are no circuits running over it and an amount of time
|
||||||
(KeepalivePeriod, defaults to 5 minutes) has passed.
|
(KeepalivePeriod, defaults to 5 minutes) has passed since the last time
|
||||||
|
any traffic was transmitted over the TLS connection. Clients SHOULD
|
||||||
|
also hold a TLS connection with no circuits open, if it is likely that a
|
||||||
|
circuit will be built soon using that connection.
|
||||||
|
|
||||||
(As an exception, directory servers may try to stay connected to all of
|
(As an exception, directory servers may try to stay connected to all of
|
||||||
the ORs -- though this will be phased out for the Tor 0.1.2.x release.)
|
the ORs -- though this will be phased out for the Tor 0.1.2.x release.)
|
||||||
|
|
|
||||||
|
|
@ -764,19 +764,23 @@ run_connection_housekeeping(int i, time_t now)
|
||||||
the connection or send a keepalive, depending. */
|
the connection or send a keepalive, depending. */
|
||||||
if (now >= conn->timestamp_lastwritten + options->KeepalivePeriod) {
|
if (now >= conn->timestamp_lastwritten + options->KeepalivePeriod) {
|
||||||
routerinfo_t *router = router_get_by_digest(or_conn->identity_digest);
|
routerinfo_t *router = router_get_by_digest(or_conn->identity_digest);
|
||||||
|
int maxCircuitlessPeriod = options->MaxCircuitDirtiness*3/2;
|
||||||
if (!connection_state_is_open(conn)) {
|
if (!connection_state_is_open(conn)) {
|
||||||
|
/* We never managed to actually get this connection open and happy. */
|
||||||
log_info(LD_OR,"Expiring non-open OR connection to fd %d (%s:%d).",
|
log_info(LD_OR,"Expiring non-open OR connection to fd %d (%s:%d).",
|
||||||
conn->s,conn->address, conn->port);
|
conn->s,conn->address, conn->port);
|
||||||
connection_mark_for_close(conn);
|
connection_mark_for_close(conn);
|
||||||
conn->hold_open_until_flushed = 1;
|
conn->hold_open_until_flushed = 1;
|
||||||
} else if (we_are_hibernating() && !or_conn->n_circuits &&
|
} else if (we_are_hibernating() && !or_conn->n_circuits &&
|
||||||
!buf_datalen(conn->outbuf)) {
|
!buf_datalen(conn->outbuf)) {
|
||||||
|
/* We're hibernating, there's no circuits, and nothing to flush.*/
|
||||||
log_info(LD_OR,"Expiring non-used OR connection to fd %d (%s:%d) "
|
log_info(LD_OR,"Expiring non-used OR connection to fd %d (%s:%d) "
|
||||||
"[Hibernating or exiting].",
|
"[Hibernating or exiting].",
|
||||||
conn->s,conn->address, conn->port);
|
conn->s,conn->address, conn->port);
|
||||||
connection_mark_for_close(conn);
|
connection_mark_for_close(conn);
|
||||||
conn->hold_open_until_flushed = 1;
|
conn->hold_open_until_flushed = 1;
|
||||||
} else if (!clique_mode(options) && !or_conn->n_circuits &&
|
} else if (!clique_mode(options) && !or_conn->n_circuits &&
|
||||||
|
now >= conn->timestamp_lastwritten + maxCircuitlessPeriod &&
|
||||||
(!router || !server_mode(options) ||
|
(!router || !server_mode(options) ||
|
||||||
!router_is_clique_mode(router))) {
|
!router_is_clique_mode(router))) {
|
||||||
log_info(LD_OR,"Expiring non-used OR connection to fd %d (%s:%d) "
|
log_info(LD_OR,"Expiring non-used OR connection to fd %d (%s:%d) "
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue