[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r15821: Fix for session-related bug found by Geoff Goodell. backport (in tor/trunk: . src/common)



Author: nickm
Date: 2008-07-10 14:31:33 -0400 (Thu, 10 Jul 2008)
New Revision: 15821

Modified:
   tor/trunk/
   tor/trunk/ChangeLog
   tor/trunk/src/common/tortls.c
Log:
 r16882@tombo:  nickm | 2008-07-10 14:31:25 -0400
 Fix for session-related bug found by Geoff Goodell. backport candidate, once tested.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r16882] on 49666b30-7950-49c5-bedf-9dc8f3168102

Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2008-07-10 18:31:28 UTC (rev 15820)
+++ tor/trunk/ChangeLog	2008-07-10 18:31:33 UTC (rev 15821)
@@ -56,6 +56,11 @@
     - Correctly detect transparent proxy support on Linux hosts that
       require in.h to be included before netfilter_ipv4.h.  Patch
       from coderman.
+    - Disallow session resumption attempts during the renegotiation
+      stage of the v2 handshake protocol.  Clients should never be
+      trying session resumption at this point, but apparently some
+      did, in ways that caused the handshake to fail.  Bugfix on
+      0.2.0.20-rc.  Bug found by Geoff Goodell.
 
 
 Changes in version 0.2.1.2-alpha - 2008-06-20

Modified: tor/trunk/src/common/tortls.c
===================================================================
--- tor/trunk/src/common/tortls.c	2008-07-10 18:31:28 UTC (rev 15820)
+++ tor/trunk/src/common/tortls.c	2008-07-10 18:31:33 UTC (rev 15821)
@@ -564,6 +564,11 @@
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 #endif
   SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+  
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+  SSL_CTX_set_options(result->ctx,
+                      SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
   /* Don't actually allow compression; it uses ram and time, but the data
    * we transmit is all encrypted anyway. */
   if (result->ctx->comp_methods)