[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r9962: first cut at 0.1.2.13 release notes (tor/branches/tor-0_1_2-patches)
Date: 2007-04-15 19:49:37 -0400 (Sun, 15 Apr 2007)
New Revision: 9962
first cut at 0.1.2.13 release notes
--- tor/branches/tor-0_1_2-patches/ReleaseNotes 2007-04-15 13:33:40 UTC (rev 9961)
+++ tor/branches/tor-0_1_2-patches/ReleaseNotes 2007-04-15 23:49:37 UTC (rev 9962)
@@ -3,6 +3,562 @@
of Tor. If you want to see more detailed descriptions of the changes in
each development snapshot, see the ChangeLog file.
+Changes in version 0.1.2.13 - 2007-04-xx
+ o Major features, client performance:
+ - Weight directory requests by advertised bandwidth. Now we can
+ let servers enable write limiting but still allow most clients to
+ succeed at their directory requests. (We still ignore weights when
+ choosing a directory authority; I hope this is a feature.)
+ - Stop overloading exit nodes -- avoid choosing them for entry or
+ middle hops when the total bandwidth available from non-exit nodes
+ is much higher than the total bandwidth available from exit nodes.
+ - Rather than waiting a fixed amount of time between retrying
+ application connections, we wait only 10 seconds for the first,
+ 10 seconds for the second, and 15 seconds for each retry after
+ that. Hopefully this will improve the expected user experience.
+ - Sometimes we didn't bother sending a RELAY_END cell when an attempt
+ to open a stream fails; now we do in more cases. This should
+ make clients able to find a good exit faster in some cases, since
+ unhandleable requests will now get an error rather than timing out.
+ o Major features, client functionality:
+ - Implement BEGIN_DIR cells, so we can connect to a directory
+ server via TLS to do encrypted directory requests rather than
+ plaintext. Enable via the TunnelDirConns and PreferTunneledDirConns
+ config options if you like. For now, this feature only works if
+ you already have a descriptor for the destination dirserver.
+ - Add support for transparent application connections: this basically
+ bundles the functionality of trans-proxy-tor into the Tor
+ mainline. Now hosts with compliant pf/netfilter implementations
+ can redirect TCP connections straight to Tor without diverting
+ through SOCKS. (Based on patch from tup.)
+ - Add support for using natd; this allows FreeBSDs earlier than
+ 5.1.2 to have ipfw send connections through Tor without using
+ SOCKS. (Patch from Zajcev Evgeny with tweaks from tup.)
+ o Major features, servers:
+ - Setting up a dyndns name for your server is now optional: servers
+ with no hostname or IP address will learn their IP address by
+ asking the directory authorities. This code only kicks in when you
+ would normally have exited with a "no address" error. Nothing's
+ authenticated, so use with care.
+ - Directory servers now spool server descriptors, v1 directories,
+ and v2 networkstatus objects to buffers as needed rather than en
+ masse. They also mmap the cached-routers files. These steps save
+ lots of memory.
+ - Stop requiring clients to have well-formed certificates, and stop
+ checking nicknames in certificates. (Clients have certificates so
+ that they can look like Tor servers, but in the future we might want
+ to allow them to look like regular TLS clients instead. Nicknames
+ in certificates serve no purpose other than making our protocol
+ easier to recognize on the wire.) Implements proposal 106.
+ o Improvements on DNS support:
+ - Add "eventdns" asynchronous dns library originally based on code
+ from Adam Langley. Now we can discard the old rickety dnsworker
+ concept, and support a wider variety of DNS functions. Allows
+ multithreaded builds on NetBSD and OpenBSD again.
+ - Add server-side support for "reverse" DNS lookups (using PTR
+ records so clients can determine the canonical hostname for a given
+ IPv4 address). Only supported by servers using eventdns; servers
+ now announce in their descriptors if they don't support eventdns.
+ - Workaround for name servers (like Earthlink's) that hijack failing
+ DNS requests and replace the no-such-server answer with a "helpful"
+ redirect to an advertising-driven search portal. Also work around
+ DNS hijackers who "helpfully" decline to hijack known-invalid
+ RFC2606 addresses. Config option "ServerDNSDetectHijacking 0"
+ lets you turn it off.
+ - Servers now check for the case when common DNS requests are going to
+ wildcarded addresses (i.e. all getting the same answer), and change
+ their exit policy to reject *:* if it's happening.
+ - When asked to resolve a hostname, don't use non-exit servers unless
+ requested to do so. This allows servers with broken DNS to be
+ useful to the network.
+ - Start passing "ipv4" hints to getaddrinfo(), so servers don't do
+ useless IPv6 DNS resolves.
+ - Specify and implement client-side SOCKS5 interface for reverse DNS
+ lookups (see doc/socks-extensions.txt). Also cache them.
+ - When we change nameservers or IP addresses, reset and re-launch
+ our tests for DNS hijacking.
+ o Improvements on reachability testing:
+ - Servers send out a burst of long-range padding cells once they've
+ established that they're reachable. Spread them over 4 circuits,
+ so hopefully a few will be fast. This exercises bandwidth and
+ bootstraps them into the directory more quickly.
+ - When we find our DirPort to be reachable, publish a new descriptor
+ so we'll tell the world (reported by pnx).
+ - Directory authorities now only decide that routers are reachable
+ if their identity keys are as expected.
+ - Do DirPort reachability tests less often, since a single test
+ chews through many circuits before giving up.
+ - Avoid some false positives during reachability testing: don't try
+ to test via a server that's on the same /24 network as us.
+ - Start publishing one minute or so after we find our ORPort
+ to be reachable. This will help reduce the number of descriptors
+ we have for ourselves floating around, since it's quite likely
+ other things (e.g. DirPort) will change during that minute too.
+ - Routers no longer try to rebuild long-term connections to directory
+ authorities, and directory authorities no longer try to rebuild
+ long-term connections to all servers. We still don't hang up
+ connections in these two cases though -- we need to look at it
+ more carefully to avoid flapping, and we likely need to wait til
+ 0.1.1.x is obsolete.
+ o Improvements on rate limiting:
+ - Enable write limiting as well as read limiting. Now we sacrifice
+ capacity if we're pushing out lots of directory traffic, rather
+ than overrunning the user's intended bandwidth limits.
+ - Include TLS overhead when counting bandwidth usage; previously, we
+ would count only the bytes sent over TLS, but not the bytes used
+ to send them.
+ - Servers decline directory requests much more aggressively when
+ they're low on bandwidth. Otherwise they end up queueing more and
+ more directory responses, which can't be good for latency.
+ - But never refuse directory requests from local addresses.
+ - Be willing to read or write on local connections (e.g. controller
+ connections) even when the global rate limiting buckets are empty.
+ - Flush local controller connection buffers periodically as we're
+ writing to them, so we avoid queueing 4+ megabytes of data before
+ trying to flush.
+ - Revise and clean up the torrc.sample that we ship with; add
+ a section for BandwidthRate and BandwidthBurst.
+ o Major features, NT services:
+ - Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a
+ command-line flag so that admins can override the default by saying
+ "tor --service install --user "SomeUser"". This will not affect
+ existing installed services. Also, warn the user that the service
+ will look for its configuration file in the service user's
+ %appdata% directory. (We can't do the "hardwire the user's appdata
+ directory" trick any more, since we may not have read access to that
+ - Support running the Tor service with a torrc not in the same
+ directory as tor.exe and default to using the torrc located in
+ the %appdata%\Tor\ of the user who installed the service. Patch
+ from Matt Edman.
+ - Add an --ignore-missing-torrc command-line option so that we can
+ get the "use sensible defaults if the configuration file doesn't
+ exist" behavior even when specifying a torrc location on the
+ command line.
+ - When stopping an NT service, wait up to 10 sec for it to actually
+ stop. (Patch from Matt Edman; resolves bug 295.)
+ o Directory authority improvements:
+ - Stop letting hibernating or obsolete servers affect uptime and
+ bandwidth cutoffs.
+ - Stop listing hibernating servers in the v1 directory.
+ - Authorities no longer recommend exits as guards if this would shift
+ too much load to the exit nodes.
+ - Authorities now specify server versions in networkstatus. This adds
+ about 2% to the size of compressed networkstatus docs, and allows
+ clients to tell which servers support BEGIN_DIR and which don't.
+ The implementation is forward-compatible with a proposed future
+ protocol version scheme not tied to Tor versions.
+ - DirServer configuration lines now have an orport= option so
+ clients can open encrypted tunnels to the authorities without
+ having downloaded their descriptors yet. Enabled for moria1,
+ moria2, tor26, and lefkada now in the default configuration.
+ - Add a BadDirectory flag to network status docs so that authorities
+ can (eventually) tell clients about caches they believe to be
+ broken. Not used yet.
+ - Allow authorities to list nodes as bad exits in their
+ approved-routers file by fingerprint or by address. If most
+ authorities set a BadExit flag for a server, clients don't think
+ of it as a general-purpose exit. Clients only consider authorities
+ that advertise themselves as listing bad exits.
+ - Patch from Steve Hildrey: Generate network status correctly on
+ non-versioning dirservers.
+ - Have directory authorities allow larger amounts of drift in uptime
+ without replacing the server descriptor: previously, a server that
+ restarted every 30 minutes could have 48 "interesting" descriptors
+ per day.
+ - Reserve the nickname "Unnamed" for routers that can't pick
+ a hostname: any router can call itself Unnamed; directory
+ authorities will never allocate Unnamed to any particular router;
+ clients won't believe that any router is the canonical Unnamed.
+ o Directory mirrors and clients:
+ - Discard any v1 directory info that's over 1 month old (for
+ directories) or over 1 week old (for running-routers lists).
+ - Clients track responses with status 503 from dirservers. After a
+ dirserver has given us a 503, we try not to use it until an hour has
+ gone by, or until we have no dirservers that haven't given us a 503.
+ - When we get a 503 from a directory, and we're not a server, we no
+ longer count the failure against the total number of failures
+ allowed for the object we're trying to download.
+ - Prepare for servers to publish descriptors less often: never
+ discard a descriptor simply for being too old until either it is
+ recommended by no authorities, or until we get a better one for
+ the same router. Make caches consider retaining old recommended
+ routers for even longer.
+ - Directory servers now provide 'Pragma: no-cache' and 'Expires'
+ headers for content, so that we can work better in the presence of
+ caching HTTP proxies.
+ - Stop fetching descriptors if you're not a dir mirror and you
+ haven't tried to establish any circuits lately. (This currently
+ causes some dangerous behavior, because when you start up again
+ you'll use your ancient server descriptors.)
+ o Major fixes, crashes:
+ - Stop crashing when the controller asks us to resetconf more than
+ one config option at once. (Vidalia 0.0.11 does this.)
+ - Fix a longstanding obscure crash bug that could occur when we run
+ out of DNS worker processes, if we're not using eventdns. (Resolves
+ bug 390.)
+ - Fix an assert that could trigger if a controller quickly set then
+ cleared EntryNodes. (Bug found by Udo van den Heuvel.)
+ - Avoid crash when telling controller about stream-status and a
+ stream is detached.
+ - Avoid sending junk to controllers or segfaulting when a controller
+ uses EVENT_NEW_DESC with verbose nicknames.
+ - Stop triggering asserts if the controller tries to extend hidden
+ service circuits (reported by mwenge).
+ - If we start a server with ClientOnly 1, then set ClientOnly to 0
+ and hup, stop triggering an assert based on an empty onion_key.
+ - Mask out all signals in sub-threads; only the libevent signal
+ handler should be processing them. This should prevent some crashes
+ on some machines using pthreads. (Patch from coderman.)
+ o Major fixes, anonymity/security:
+ - Automatically avoid picking more than one node from the same
+ /16 network when constructing a circuit. Add an
+ "EnforceDistinctSubnets" option to let people disable it if they
+ want to operate private test networks on a single subnet.
+ - When generating bandwidth history, round down to the nearest
+ 1k. When storing accounting data, round up to the nearest 1k.
+ - When we're running as a server, remember when we last rotated onion
+ keys, so that we will rotate keys once they're a week old even if
+ we never stay up for a week ourselves.
+ - If a client asked for a server by name, and there's a named server
+ in our network-status but we don't have its descriptor yet, we
+ could return an unnamed server instead.
+ - Reject (most) attempts to use Tor circuits with length one. (If
+ many people start using Tor as a one-hop proxy, exit nodes become
+ a more attractive target for compromise.)
+ - Just because your DirPort is open doesn't mean people should be
+ able to remotely teach you about hidden service descriptors. Now
+ only accept rendezvous posts if you've got HSAuthoritativeDir set.
+ - Fix a potential race condition in the rpm installer. Found by
+ Stefan Nordhausen.
+ - Do not log IPs with TLS failures for incoming TLS
+ connections. (Fixes bug 382.)
+ o Major fixes, other:
+ - If our system clock jumps back in time, don't publish a negative
+ uptime in the descriptor.
+ - When we start during an accounting interval before it's time to wake
+ up, remember to wake up at the correct time. (May fix bug 342.)
+ - Previously, we would cache up to 16 old networkstatus documents
+ indefinitely, if they came from nontrusted authorities. Now we
+ discard them if they are more than 10 days old.
+ - When we have a state file we cannot parse, tell the user and
+ move it aside. Now we avoid situations where the user starts
+ Tor in 1904, Tor writes a state file with that timestamp in it,
+ the user fixes her clock, and Tor refuses to start.
+ - Publish a new descriptor after we hup/reload. This is important
+ if our config has changed such that we'll want to start advertising
+ our DirPort now, etc.
+ - If we are using an exit enclave and we can't connect, e.g. because
+ its webserver is misconfigured to not listen on localhost, then
+ back off and try connecting from somewhere else before we fail.
+ o New config options or behaviors:
+ - When EntryNodes are configured, rebuild the guard list to contain,
+ in order: the EntryNodes that were guards before; the rest of the
+ EntryNodes; the nodes that were guards before.
+ - Do not warn when individual nodes in the configuration's EntryNodes,
+ ExitNodes, etc are down: warn only when all possible nodes
+ are down. (Fixes bug 348.)
+ - Put a lower-bound on MaxAdvertisedBandwidth.
+ - Start using the state file to store bandwidth accounting data:
+ the bw_accounting file is now obsolete. We'll keep generating it
+ for a while for people who are still using 0.1.2.4-alpha.
+ - Try to batch changes to the state file so that we do as few
+ disk writes as possible while still storing important things in
+ a timely fashion.
+ - The state file and the bw_accounting file get saved less often when
+ the AvoidDiskWrites config option is set.
+ - Make PIDFile work on Windows.
+ - Add internal descriptions for a bunch of configuration options:
+ accessible via controller interface and in comments in saved
+ options files.
+ - Reject *:563 (NNTPS) in the default exit policy. We already reject
+ NNTP by default, so this seems like a sensible addition.
+ - Clients now reject hostnames with invalid characters. This should
+ avoid some inadvertent info leaks. Add an option
+ AllowNonRFC953Hostnames to disable this behavior, in case somebody
+ is running a private network with hosts called @, !, and #.
+ - Check for addresses with invalid characters at the exit as well,
+ and warn less verbosely when they fail. You can override this by
+ setting ServerDNSAllowNonRFC953Addresses to 1.
+ - Remove some options that have been deprecated since at least
+ 0.1.0.x: AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and
+ SysLog. Use AccountingMax instead of AccountingMaxKB, and use Log
+ to set log options. Mark PathlenCoinWeight as obsolete.
+ - Stop accepting certain malformed ports in configured exit policies.
+ - When the user uses bad syntax in the Log config line, stop
+ suggesting other bad syntax as a replacement.
+ - Add new config option "ResolvConf" to let the server operator
+ choose an alternate resolve.conf file when using eventdns.
+ - If one of our entry guards is on the ExcludeNodes list, or the
+ directory authorities don't think it's a good guard, treat it as
+ if it were unlisted: stop using it as a guard, and throw it off
+ the guards list if it stays that way for a long time.
+ - Allow directory authorities to be marked separately as authorities
+ for the v1 directory protocol, the v2 directory protocol, and
+ as hidden service directories, to make it easier to retire old
+ authorities. V1 authorities should set "HSAuthoritativeDir 1"
+ to continue being hidden service authorities too.
+ - Remove 8888 as a LongLivedPort, and add 6697 (IRCS).
+ - Make TrackExitHosts case-insensitive, and fix the behavior of
+ ".suffix" TrackExitHosts items to avoid matching in the middle of
+ an address.
+ - New DirPort behavior: if you have your dirport set, you download
+ descriptors aggressively like a directory mirror, whether or not
+ your ORPort is set.
+ o Docs:
+ - Create a new file ReleaseNotes which was the old ChangeLog. The
+ new ChangeLog file now includes the notes for all development
+ versions too.
+ - Add a new address-spec.txt document to describe our special-case
+ addresses: .exit, .onion, and .noconnnect.
+ - Fork the v1 directory protocol into its own spec document,
+ and mark dir-spec.txt as the currently correct (v2) spec.
+ o Packaging, porting, and contrib
+ - "tor --verify-config" now exits with -1(255) or 0 depending on
+ whether the config options are bad or good.
+ - The Debian package now uses --verify-config when (re)starting,
+ to distinguish configuration errors from other errors.
+ - Adapt a patch from goodell to let the contrib/exitlist script
+ take arguments rather than require direct editing.
+ - Prevent the contrib/exitlist script from printing the same
+ result more than once.
+ - Add support to tor-resolve tool for reverse lookups and SOCKS5.
+ - In the hidden service example in torrc.sample, stop recommending
+ esoteric and discouraged hidden service options.
+ - Patch from Michael Mohr to contrib/cross.sh, so it checks more
+ values before failing, and always enables eventdns.
+ - Try to detect Windows correctly when cross-compiling.
+ - Libevent-1.2 exports, but does not define in its headers, strlcpy.
+ Try to fix this in configure.in by checking for most functions
+ before we check for libevent.
+ - Update RPMs to require libevent 1.2.
+ - Experimentally re-enable kqueue on OSX when using libevent 1.1b
+ or later. Log when we are doing this, so we can diagnose it when
+ it fails. (Also, recommend libevent 1.1b for kqueue and
+ win32 methods; deprecate libevent 1.0b harder; make libevent
+ recommendation system saner.)
+ - Build with recent (1.3+) libevents on platforms that do not
+ define the nonstandard types "u_int8_t" and friends.
+ - Remove architecture from OS X builds. The official builds are
+ now universal binaries.
+ - Run correctly on OS X platforms with case-sensitive filesystems.
+ - Correctly set maximum connection limit on Cygwin. (This time
+ for sure!)
+ - Start compiling on MinGW on Windows (patches from Mike Chiussi
+ and many others).
+ - Start compiling on MSVC6 on Windows (patches from Frediano Ziglio).
+ - Finally fix the openssl warnings from newer gccs that believe that
+ ignoring a return value is okay, but casting a return value and
+ then ignoring it is a sign of madness.
+ - On architectures where sizeof(int)>4, still clamp declarable
+ bandwidth to INT32_MAX.
+ o Minor features, controller:
+ - Warn the user when an application uses the obsolete binary v0
+ control protocol. We're planning to remove support for it during
+ the next development series, so it's good to give people some
+ advance warning.
+ - Add STREAM_BW events to report per-entry-stream bandwidth
+ use. (Patch from Robert Hogan.)
+ - Rate-limit SIGNEWNYM signals in response to controllers that
+ impolitely generate them for every single stream. (Patch from
+ mwenge; closes bug 394.)
+ - Add a REMAP status to stream events to note that a stream's
+ address has changed because of a cached address or a MapAddress
+ - Make REMAP stream events have a SOURCE (cache or exit), and
+ make them generated in every case where we get a successful
+ connected or resolved cell.
+ - Track reasons for OR connection failure; make these reasons
+ available via the controller interface. (Patch from Mike Perry.)
+ - Add a SOCKS_BAD_HOSTNAME client status event so controllers
+ can learn when clients are sending malformed hostnames to Tor.
+ - Specify and implement some of the controller status events.
+ - Have GETINFO dir/status/* work on hosts with DirPort disabled.
+ - Reimplement GETINFO so that info/names stays in sync with the
+ actual keys.
+ - Implement "GETINFO fingerprint".
+ - Implement "SETEVENTS GUARD" so controllers can get updates on
+ entry guard status as it changes.
+ - Make all connections to addresses of the form ".noconnect"
+ immediately get closed. This lets application/controller combos
+ successfully test whether they're talking to the same Tor by
+ watching for STREAM events.
+ - Add a REASON field to CIRC events; for backward compatibility, this
+ field is sent only to controllers that have enabled the extended
+ event format. Also, add additional reason codes to explain why
+ a given circuit has been destroyed or truncated. (Patches from
+ Mike Perry)
+ - Add a REMOTE_REASON field to extended CIRC events to tell the
+ controller why a remote OR told us to close a circuit.
+ - Stream events also now have REASON and REMOTE_REASON fields,
+ working much like those for circuit events.
+ - There's now a GETINFO ns/... field so that controllers can ask Tor
+ about the current status of a router.
+ - A new event type "NS" to inform a controller when our opinion of
+ a router's status has changed.
+ - Add a GETINFO events/names and GETINFO features/names so controllers
+ can tell which events and features are supported.
+ - A new CLEARDNSCACHE signal to allow controllers to clear the
+ client-side DNS cache without expiring circuits.
+ - Fix CIRC controller events so that controllers can learn the
+ identity digests of non-Named servers used in circuit paths.
+ - Let controllers ask for more useful identifiers for servers. Instead
+ of learning identity digests for un-Named servers and nicknames
+ for Named servers, the new identifiers include digest, nickname,
+ and indication of Named status. Off by default; see control-spec.txt
+ for more information.
+ - Add a "getinfo address" controller command so it can display Tor's
+ best guess to the user.
+ - New controller event to alert the controller when our server
+ descriptor has changed.
+ - Give more meaningful errors on controller authentication failure.
+ - Export the default exit policy via the control port, so controllers
+ don't need to guess what it is / will be later.
+ o Minor bugfixes, controller:
+ - When creating a circuit via the controller, send a 'launched'
+ event when we're done, so we follow the spec better.
+ - Correct the control spec to match how the code actually responds
+ to 'getinfo addr-mappings/*'. Reported by daejees.
+ - The control spec described a GUARDS event, but the code
+ implemented a GUARD event. Standardize on GUARD, but let people
+ ask for GUARDS too. Reported by daejees.
+ - Give the controller END_STREAM_REASON_DESTROY events _before_ we
+ clear the corresponding on_circuit variable, and remember later
+ that we don't need to send a redundant CLOSED event. (Resolves part
+ 3 of bug 367.)
+ - Report events where a resolve succeeded or where we got a socks
+ protocol error correctly, rather than calling both of them
+ - Change reported stream target addresses to IP consistently when
+ we finally get the IP from an exit node.
+ - Send log messages to the controller even if they happen to be very
+ - Flush ERR-level controller status events just like we currently
+ flush ERR-level log events, so that a Tor shutdown doesn't prevent
+ the controller from learning about current events.
+ - Report the circuit number correctly in STREAM CLOSED events. Bug
+ reported by Mike Perry.
+ - Do not report bizarre values for results of accounting GETINFOs
+ when the last second's write or read exceeds the allotted bandwidth.
+ - Report "unrecognized key" rather than an empty string when the
+ controller tries to fetch a networkstatus that doesn't exist.
+ - When the controller does a "GETINFO network-status", tell it
+ about even those routers whose descriptors are very old, and use
+ long nicknames where appropriate.
+ - Fix handling of verbose nicknames with ORCONN controller events:
+ make them show up exactly when requested, rather than exactly when
+ not requested.
+ - Controller signals now work on non-Unix platforms that don't define
+ SIGUSR1 and SIGUSR2 the way we expect.
+ - Respond to SIGNAL command before we execute the signal, in case
+ the signal shuts us down. Suggested by Karsten Loesing.
+ - Handle reporting OR_CONN_EVENT_NEW events to the controller.
+ o Minor features, code performance:
+ - Major performance improvement on inserting descriptors: change
+ algorithm from O(n^2) to O(n).
+ - Do not rotate onion key immediately after setting it for the first
+ - Call router_have_min_dir_info half as often. (This is showing up in
+ some profiles, but not others.)
+ - When using GCC, make log_debug never get called at all, and its
+ arguments never get evaluated, when no debug logs are configured.
+ (This is showing up in some profiles, but not others.)
+ - Statistics dumped by -USR2 now include a breakdown of public key
+ operations, for profiling.
+ - Make the common memory allocation path faster on machines where
+ malloc(0) returns a pointer.
+ - Split circuit_t into origin_circuit_t and or_circuit_t, and
+ split connection_t into edge, or, dir, control, and base structs.
+ These will save quite a bit of memory on busy servers, and they'll
+ also help us track down bugs in the code and bugs in the spec.
+ - Use OpenSSL's AES implementation on platforms where it's faster.
+ This could save us as much as 10% CPU usage.
+ o Minor features, descriptors and descriptor handling:
+ - Avoid duplicate entries on MyFamily line in server descriptor.
+ - When Tor receives a router descriptor that it asked for, but
+ no longer wants (because it has received fresh networkstatuses
+ in the meantime), do not warn the user. Cache the descriptor if
+ we're a cache; drop it if we aren't.
+ - Servers no longer ever list themselves in their "family" line,
+ even if configured to do so. This makes it easier to configure
+ family lists conveniently.
+ o Minor fixes, confusing/misleading log messages:
+ - Display correct results when reporting which versions are
+ recommended, and how recommended they are. (Resolves bug 383.)
+ - Inform the server operator when we decide not to advertise a
+ DirPort due to AccountingMax enabled or a low BandwidthRate.
+ - Only include function names in log messages for info/debug messages.
+ For notice/warn/err, the content of the message should be clear on
+ its own, and printing the function name only confuses users.
+ - Remove even more protocol-related warnings from Tor server logs,
+ such as bad TLS handshakes and malformed begin cells.
+ - Fix bug 314: Tor clients issued "unsafe socks" warnings even
+ when the IP address is mapped through MapAddress to a hostname.
+ - Fix misleading log messages: an entry guard that is "unlisted",
+ as well as not known to be "down" (because we've never heard
+ of it), is not therefore "up".
+ o Minor fixes, old/obsolete behavior:
+ - Start assuming we can use a create_fast cell if we don't know
+ what version a router is running.
+ - We no longer look for identity and onion keys in "identity.key" and
+ "onion.key" -- these were replaced by secret_id_key and
+ secret_onion_key in 0.0.8pre1.
+ - We no longer require unrecognized directory entries to be
+ preceded by "opt".
+ - Drop compatibility with obsolete Tors that permit create cells
+ to have the wrong circ_id_type.
+ - Remove code to special-case "-cvs" ending, since it has not
+ actually mattered since 0.0.9.
+ - Don't re-write the fingerprint file every restart, unless it has
+ o Minor fixes, misc client-side behavior:
+ - Always remove expired routers and networkstatus docs before checking
+ whether we have enough information to build circuits. (Fixes
+ bug 373.)
+ - When computing clock skew from directory HTTP headers, consider what
+ time it was when we finished asking for the directory, not what
+ time it is now.
+ - Make our socks5 handling more robust to broken socks clients:
+ throw out everything waiting on the buffer in between socks
+ handshake phases, since they can't possibly (so the theory
+ goes) have predicted what we plan to respond to them.
+ - Expire socks connections if they spend too long waiting for the
+ handshake to finish. Previously we would let them sit around for
+ days, if the connecting application didn't close them either.
+ - And if the socks handshake hasn't started, don't send a
+ "DNS resolve socks failed" handshake reply; just close it.
+ - If the user asks to use invalid exit nodes, be willing to use
+ unstable ones.
+ - Track unreachable entry guards correctly: don't conflate
+ 'unreachable by us right now' with 'listed as down by the directory
+ authorities'. With the old code, if a guard was unreachable by us
+ but listed as running, it would clog our guard list forever.
+ - Behave correctly in case we ever have a network with more than
+ 2GB/s total advertised capacity.
+ - Claim a commonname of Tor, rather than TOR, in TLS handshakes.
Changes in version 0.1.1.26 - 2006-12-14
o Security bugfixes:
- Stop sending the HttpProxyAuthenticator string to directory