Merge branch 'maint-0.2.4' into release-0.2.4
This commit is contained in:
commit
33b86071b7
|
@ -0,0 +1,6 @@
|
|||
o Major enhancements:
|
||||
- Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later.
|
||||
(OpenSSL before 1.0.1 didn't have TLS 1.1 or 1.2. OpenSSL from 1.0.1
|
||||
through 1.0.1d had bugs that prevented renegotiation from working
|
||||
with TLS 1.1 or 1.2, so we disabled them to solve bug 6033.) Fix for
|
||||
issue #6055.
|
|
@ -0,0 +1,5 @@
|
|||
o Minor bugfixes:
|
||||
- If we are unable to save a microdescriptor to the journal, do not
|
||||
drop it from memory and then reattempt downloading it. Fixes bug
|
||||
9645; bugfix on 0.2.2.6-alpha.
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
o Major bugfixes:
|
||||
- Do not apply connection_consider_empty_read/write_buckets to
|
||||
cpuworker connections.
|
|
@ -0,0 +1,8 @@
|
|||
o Minor bugfixes (performance, fingerprinting):
|
||||
- Our default TLS ecdhe groups were backwards: we meant to be using
|
||||
P224 for relays (for performance win) and P256 for bridges (since
|
||||
it is more common in the wild). Instead we had it backwards. After
|
||||
reconsideration, we decided that the default should be P256 on all
|
||||
hosts, since its security is probably better, and since P224 is
|
||||
reportedly used quite little in the wild. Found by "skruffy" on
|
||||
IRC. Fix for bug 9780; bugfix on 0.2.4.8-alpha.
|
|
@ -1646,7 +1646,7 @@ is non-zero):
|
|||
What EC group should we try to use for incoming TLS connections?
|
||||
P224 is faster, but makes us stand out more. Has no effect if
|
||||
we're a client, or if our OpenSSL version lacks support for ECDHE.
|
||||
(Default: P224 for public servers; P256 for bridges.)
|
||||
(Default: P256)
|
||||
|
||||
[[CellStatistics]] **CellStatistics** **0**|**1**::
|
||||
When this option is enabled, Tor writes statistics on the mean time that
|
||||
|
|
|
@ -1269,12 +1269,15 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
|
|||
* version. Once some version of OpenSSL does TLS1.1 and TLS1.2
|
||||
* renegotiation properly, we can turn them back on when built with
|
||||
* that version. */
|
||||
#if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,1,'e')
|
||||
#ifdef SSL_OP_NO_TLSv1_2
|
||||
SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
|
||||
#endif
|
||||
#ifdef SSL_OP_NO_TLSv1_1
|
||||
SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/* Disable TLS tickets if they're supported. We never want to use them;
|
||||
* using them can make our perfect forward secrecy a little worse, *and*
|
||||
* create an opportunity to fingerprint us (since it's unusual to use them
|
||||
|
@ -1369,10 +1372,8 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
|
|||
nid = NID_secp224r1;
|
||||
else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
|
||||
nid = NID_X9_62_prime256v1;
|
||||
else if (flags & TOR_TLS_CTX_IS_PUBLIC_SERVER)
|
||||
nid = NID_X9_62_prime256v1;
|
||||
else
|
||||
nid = NID_secp224r1;
|
||||
nid = NID_X9_62_prime256v1;
|
||||
/* Use P-256 for ECDHE. */
|
||||
ec_key = EC_KEY_new_by_curve_name(nid);
|
||||
if (ec_key != NULL) /*XXXX Handle errors? */
|
||||
|
|
|
@ -2483,6 +2483,9 @@ connection_consider_empty_read_buckets(connection_t *conn)
|
|||
} else
|
||||
return; /* all good, no need to stop it */
|
||||
|
||||
if (conn->type == CONN_TYPE_CPUWORKER)
|
||||
return; /* Always okay. */
|
||||
|
||||
LOG_FN_CONN(conn, (LOG_DEBUG, LD_NET, "%s", reason));
|
||||
conn->read_blocked_on_bw = 1;
|
||||
connection_stop_reading(conn);
|
||||
|
@ -2507,6 +2510,9 @@ connection_consider_empty_write_buckets(connection_t *conn)
|
|||
} else
|
||||
return; /* all good, no need to stop it */
|
||||
|
||||
if (conn->type == CONN_TYPE_CPUWORKER)
|
||||
return; /* Always okay. */
|
||||
|
||||
LOG_FN_CONN(conn, (LOG_DEBUG, LD_NET, "%s", reason));
|
||||
conn->write_blocked_on_bw = 1;
|
||||
connection_stop_writing(conn);
|
||||
|
|
|
@ -213,7 +213,6 @@ microdescs_add_list_to_cache(microdesc_cache_t *cache,
|
|||
if (fd < 0) {
|
||||
log_warn(LD_DIR, "Couldn't append to journal in %s: %s",
|
||||
cache->journal_fname, strerror(errno));
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -238,11 +237,11 @@ microdescs_add_list_to_cache(microdesc_cache_t *cache,
|
|||
if (size < 0) {
|
||||
/* we already warned in dump_microdescriptor */
|
||||
abort_writing_to_file(open_file);
|
||||
smartlist_clear(added);
|
||||
return added;
|
||||
fd = -1;
|
||||
} else {
|
||||
md->saved_location = SAVED_IN_JOURNAL;
|
||||
cache->journal_len += size;
|
||||
}
|
||||
md->saved_location = SAVED_IN_JOURNAL;
|
||||
cache->journal_len += size;
|
||||
} else {
|
||||
md->saved_location = where;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue