[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r17882: {tor} Backport r14830: Do not use SSL compression. It was pointles (in tor/branches/tor-0_2_0-patches: . src/common)



Author: nickm
Date: 2009-01-04 13:52:32 -0500 (Sun, 04 Jan 2009)
New Revision: 17882

Modified:
   tor/branches/tor-0_2_0-patches/ChangeLog
   tor/branches/tor-0_2_0-patches/src/common/tortls.c
Log:
Backport r14830: Do not use SSL compression.
It was pointless, since most of our cells are encrypted, full of compressed data, or both; and harmful, because compression is expensive and distinguishable.

Modified: tor/branches/tor-0_2_0-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_2_0-patches/ChangeLog	2009-01-04 17:57:06 UTC (rev 17881)
+++ tor/branches/tor-0_2_0-patches/ChangeLog	2009-01-04 18:52:32 UTC (rev 17882)
@@ -77,6 +77,9 @@
       for more info.
     - Check DNS replies for more matching fields to better resist DNS
       poisoning.
+    - Never use OpenSSL compression: it wastes RAM and CPU trying to
+      compress cells, which are basically all encrypted, compressed, or
+      both.
 
 
 Changes in version 0.2.0.32 - 2008-11-20

Modified: tor/branches/tor-0_2_0-patches/src/common/tortls.c
===================================================================
--- tor/branches/tor-0_2_0-patches/src/common/tortls.c	2009-01-04 17:57:06 UTC (rev 17881)
+++ tor/branches/tor-0_2_0-patches/src/common/tortls.c	2009-01-04 18:52:32 UTC (rev 17882)
@@ -564,6 +564,9 @@
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 #endif
   SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+  /* Don't actually allow compression; it uses RAM and time, but the data
+   * we transmit is all encrypted anyway. */
+  result->ctx->comp_methods = NULL;
 
 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
   SSL_CTX_set_options(result->ctx,