Merge branch 'maint-0.2.2' into release-0.2.2

2011-09-13 18:34:12 -04:00 · 2011-09-13 18:34:12 -04:00 · a4ed8622c0
parent 9d1ea45b58 4a351b4b9e
commit a4ed8622c0
4 changed files with 12 additions and 6 deletions
--- a/changes/bug4014
+++ b/changes/bug4014
@ -0,0 +1,3 @@
+  o Minor features:
+    - Adjust the expiration time on our SSL session certificates to
+      better match SSL certs seen in the wild. Resolves ticket 4014.
--- a/src/or/main.c
+++ b/src/or/main.c
@ -940,15 +940,16 @@ run_scheduled_events(time_t now)
  if (options->UseBridges)
    fetch_bridge_descriptors(options, now);

-  /** 1b. Every MAX_SSL_KEY_LIFETIME seconds, we change our TLS context. */
+  /** 1b. Every MAX_SSL_KEY_LIFETIME_INTERNAL seconds, we change our
+   * TLS context. */
  if (!last_rotated_x509_certificate)
    last_rotated_x509_certificate = now;
-  if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME < now) {
+  if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME_INTERNAL < now) {
    log_info(LD_GENERAL,"Rotating tls context.");
    if (tor_tls_context_init(public_server_mode(options),
                             get_tlsclient_identity_key(),
                             is_server ? get_server_identity_key() : NULL,
-                             MAX_SSL_KEY_LIFETIME) < 0) {
+                             MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
      log_warn(LD_BUG, "Error reinitializing TLS context");
      /* XXX is it a bug here, that we just keep going? -RD */
    }
--- a/src/or/or.h
+++ b/src/or/or.h
@ -163,7 +163,9 @@
 /** How often do we rotate onion keys? */
 #define MIN_ONION_KEY_LIFETIME (7*24*60*60)
 /** How often do we rotate TLS contexts? */
-#define MAX_SSL_KEY_LIFETIME (2*60*60)
+#define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60)
+/** What expiry time shall we place on our SSL certs? */
+#define MAX_SSL_KEY_LIFETIME_ADVERTISED (365*24*60*60)

 /** How old do we allow a router to get before removing it
 * from the router list? In seconds. */
--- a/src/or/router.c
+++ b/src/or/router.c
@ -526,7 +526,7 @@ init_keys(void)
    if (tor_tls_context_init(0,
                             get_tlsclient_identity_key(),
                             NULL,
-                             MAX_SSL_KEY_LIFETIME) < 0) {
+                             MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
      log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
      return -1;
    }
@ -622,7 +622,7 @@ init_keys(void)
  if (tor_tls_context_init(public_server_mode(options),
                           get_tlsclient_identity_key(),
                           get_server_identity_key(),
-                           MAX_SSL_KEY_LIFETIME) < 0) {
+                           MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
    log_err(LD_GENERAL,"Error initializing TLS context");
    return -1;
  }