[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] my current notes on a 0.1.1.20 changelog
Update of /home/or/cvsroot/tor
In directory moria:/tmp/cvs-serv24962
Modified Files:
ChangeLog
Log Message:
my current notes on a 0.1.1.20 changelog
Index: ChangeLog
===================================================================
RCS file: /home/or/cvsroot/tor/ChangeLog,v
retrieving revision 1.156
retrieving revision 1.157
diff -u -p -d -r1.156 -r1.157
--- ChangeLog 22 May 2006 19:56:32 -0000 1.156
+++ ChangeLog 22 May 2006 20:00:12 -0000 1.157
@@ -1,3 +1,564 @@
+Changes in version 0.1.1.20 - 2006-05-xx
+ o Unsorted
+ - Fix minor integer overflow in calculating when we expect to use up
+ our bandwidth allocation before hibernating.
+ - If ORPort is set, Address is not explicitly set, and our hostname
+ resolves to a private IP address, try to use an interface address
+ if it has a public address. Now Windows machines that think of
+ themselves as localhost can guess their address.
+ - Lower the minimum required number of file descriptors to 1000,
+ so we can have some overhead for Valgrind on Linux, where the
+ default ulimit -n is 1024.
+ - Stop writing the "router.desc" file, ever. Nothing uses it anymore,
+ and its existence is confusing some users.
+ - Start storing useful information to $DATADIR/state file, so we
+ can remember things across invocations of Tor. Retain unrecognized
+ lines so we can be forward-compatible, and write a TorVersion line
+ so we can be backward-compatible.
+
+ o Crash and assert fixes from 0.1.0.17:
+ - Fix assert bug in close_logs() on exit: when we close and delete
+ logs, remove them all from the global "logfiles" list.
+ - Fix an assert error when we're out of space in the connection_list
+ and we try to post a hidden service descriptor (reported by Peter
+ Palfrader).
+ - Fix a rare assert error when we've tried all intro points for
+ a hidden service and we try fetching the service descriptor again:
+ "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed"
+ - Setconf SocksListenAddress killed Tor if it fails to bind. Now back
+ out and refuse the setconf if it would fail.
+ - If you specify a relative torrc path and you set RunAsDaemon in
+ your torrc, then it chdir()'s to the new directory. If you HUP,
+ it tries to load the new torrc location, fails, and exits.
+ The fix: no longer allow a relative path to torrc when using -f.
+ - Check for integer overflows in more places, when adding elements
+ to smartlists. This could possibly prevent a buffer overflow
+ on malicious huge inputs.
+
+ o Security fixes, major:
+ - When we're printing strings from the network, don't try to print
+ non-printable characters. Now we're safer against shell escape
+ sequence exploits, and also against attacks to fool humans into
+ misreading their logs.
+ - Implement entry guards: automatically choose a handful of entry
+ nodes and stick with them for all circuits. Only pick new guards
+ when the ones you have are unsuitable, and if the old guards
+ become suitable again, switch back. This will increase security
+ dramatically against certain end-point attacks. The EntryNodes
+ config option now provides some hints about which entry guards you
+ want to use most; and StrictEntryNodes means to only use those.
+ Fixes CVE-2006-0414.
+ - Implement exit enclaves: if we know an IP address for the
+ destination, and there's a running Tor server at that address
+ which allows exit to the destination, then extend the circuit to
+ that exit first. This provides end-to-end encryption and end-to-end
+ authentication. Also, if the user wants a .exit address or enclave,
+ use 4 hops rather than 3, and cannibalize a general circ for it
+ if you can.
+ - Obey our firewall options more faithfully:
+ . If we can't get to a dirserver directly, try going via Tor.
+ . Don't ever try to connect (as a client) to a place our
+ firewall options forbid.
+ . If we specify a proxy and also firewall options, obey the
+ firewall options even when we're using the proxy: some proxies
+ can only proxy to certain destinations.
+ - Make clients regenerate their keys when their IP address changes.
+ - For the OS X package's modified privoxy config file, comment
+ out the "logfile" line so we don't log everything passed
+ through privoxy.
+ - Our TLS handshakes were generating a single public/private
+ keypair for the TLS context, rather than making a new one for
+ each new connection. Oops. (But we were still rotating them
+ periodically, so it's not so bad.)
+ - When we were cannibalizing a circuit with a particular exit
+ node in mind, we weren't checking to see if that exit node was
+ already present earlier in the circuit. Oops.
+ - Require server descriptors to list IPv4 addresses -- hostnames
+ are no longer allowed. This also fixes some potential security
+ problems with people providing hostnames as their address and then
+ preferentially resolving them so they can partition users.
+ - Our logic to decide if the OR we connected to was the right guy
+ was brittle and maybe open to a mitm for invalid routers.
+
+ o Security fixes, minor:
+ - Adjust tor-spec to parameterize cell and key lengths. Now Ian
+ Goldberg can prove things about our handshake protocol more
+ easily.
+ - Make dirservers generate a separate "guard" flag to mean
+ "would make a good entry guard".
+ - Clients now honor the "guard" flag in the router status when
+ picking entry guards, rather than looking at is_fast or is_stable.
+ - Fix a possible way to DoS dirservers.
+ - Try to list MyFamily elements by key, not by nickname, and warn
+ if we've not heard of a server.
+ - When the client asked for a rendezvous port that the hidden
+ service didn't want to provide, we were sending an IP address
+ back along with the end cell. Fortunately, it was zero. But stop
+ that anyway.
+ - Start using RAND_bytes rather than RAND_pseudo_bytes from
+ OpenSSL. Also, reseed our entropy every hour, not just at
+ startup. And add entropy in 512-bit chunks, not 160-bit chunks.
+ - Refuse server descriptors where the fingerprint line doesn't match
+ the included identity key. Tor doesn't care, but other apps (and
+ humans) might actually be trusting the fingerprint line.
+ - We used to kill the circuit when we receive a relay command we
+ don't recognize. Now we just drop that cell.
+ - Fix a bug found by Lasse Overlier: when we were making internal
+ circuits (intended to be cannibalized later for rendezvous and
+ introduction circuits), we were picking them so that they had
+ useful exit nodes. There was no need for this, and it actually
+ aids some statistical attacks.
+ - Start treating internal circuits and exit circuits separately.
+ It's important to keep them separate because internal circuits
+ have their last hops picked like middle hops, rather than like
+ exit hops. So exiting on them will break the user's expectations.
+
+ o Packaging improvements:
+ - Implement --with-libevent-dir option to ./configure. Also, improve
+ search techniques to find libevent, and use those for openssl too.
+ - Fix a couple of bugs in OpenSSL detection. Also, deal better when
+ there are multiple SSLs installed with different versions.
+ - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
+ - On non-gcc compilers (e.g. solaris), use "-g -O" instead of
+ "-Wall -g -O2".
+ - Make unit tests (and other invocations that aren't the real Tor)
+ run without launching listeners, creating subdirectories, and so on.
+ - The OS X installer was adding a symlink for tor_resolve but
+ the binary was called tor-resolve (reported by Thomas Hardly).
+ - Now we can target arch and OS in rpm builds (contributed by
+ Phobos). Also make the resulting dist-rpm filename match the
+ target arch.
+ - Apply Matt Ghali's --with-syslog-facility patch to ./configure
+ if you log to syslog and want something other than LOG_DAEMON.
+ - Fix the torify (tsocks) config file to not use Tor for localhost
+ connections.
+ - Start shipping socks-extensions.txt, tor-doc-unix.html,
+ tor-doc-server.html, and stylesheet.css in the tarball.
+ - Stop shipping tor-doc.html in the tarball.
+ - No longer ship INSTALL and README files -- they are useless now.
+ - Add Peter Palfrader's check-tor script to tor/contrib/
+ It lets you easily check whether a given server (referenced by
+ nickname) is reachable by you.
+ - Add BSD-style contributed startup script "rc.subr" from Peter
+ Thoenen.
+
+ o Directory improvements -- new directory protocol:
+ - See tor/doc/dir-spec.txt for all the juicy details. Key points:
+ - Clients don't download or use the old directory anymore. Now they
+ download and use network-statuses from the trusted dirservers,
+ and fetch individual server descriptors as needed from mirrors.
+ - Clients no longer download descriptors for non-running servers.
+ - Download descriptors by digest, not by fingerprint. Caches try to
+ download all listed digests from authorities; clients try to
+ download "best" digests from caches. This avoids partitioning
+ and isolating attacks better.
+ - Only upload a new server descriptor when options change, 18
+ hours have passed, uptime is reset, or bandwidth changes a lot.
+ - Directory authorities silently throw away new descriptors that
+ haven't changed much if the timestamps are similar. We do this to
+ tolerate older Tor servers that upload a new descriptor every 15
+ minutes. (It seemed like a good idea at the time.)
+ - Clients choose directory servers from the network status lists,
+ not from their internal list of router descriptors. Now they can
+ go to caches directly rather than needing to go to authorities
+ to bootstrap the first set of descriptors.
+ - When picking a random directory, prefer non-authorities if any
+ are known.
+ - Make the "stable" router flag in network-status be the median of
+ the uptimes of running valid servers, and make clients pay
+ attention to the network-status flags. Thus the cutoff adapts
+ to the stability of the network as a whole, making IRC, IM, etc
+ connections more reliable.
+ - Add a new flag to network-status indicating whether the server
+ can answer v2 directory requests too.
+ - Directory mirrors now cache up to 16 unrecognized network-status
+ docs. Now we can add new authdirservers and they'll be cached too.
+ - Stop parsing, storing, or using running-routers output (but
+ mirrors still cache and serve it).
+ - Clients consider a threshold of versioning dirservers (dirservers
+ who have an opinion about which Tor versions are still recommended)
+ before deciding whether to warn the user that he's obsolete.
+
+ - Make directory servers return better http 404 error messages
+ instead of a generic "Servers unavailable".
+ - When writing the RecommendedVersions lines, sort them first.
+ - Retry directory requests if we fail to get an answer we like
+ from a given dirserver (we were retrying before, but only if
+ we fail to connect).
+ - Return a robots.txt on our dirport to discourage google indexing.
+
+ o Start on the new directory design:
+ - Publish individual descriptors (by fingerprint, by "all", and by
+ "tell me yours").
+ - Publish client and server recommended versions separately.
+ - Allow tor_gzip_uncompress() to handle multiple concatenated
+ compressed strings. Serve compressed groups of router
+ descriptors. The compression logic here could be more
+ memory-efficient.
+ - Change DirServers config line to note which dirs are v1 authorities.
+ - Remove option when getting directory cache to see whether they
+ support running-routers; they all do now. Replace it with one
+ to see whether caches support v2 stuff.
+
+ - Add tor.dizum.com as the fifth authoritative directory server.
+ - Add lefkada.eecs.harvard.edu as a fourth authoritative directory
+ server.
+ - Stop listing down or invalid nodes in the v1 directory. This
+ reduces its bulk by about 1/3, and reduces load on mirrors.
+ - Mirrors stop caching the v1 directory so often.
+ - Make the v2 dir's "Fast" flag based on relative capacity, just
+ like "Stable" is based on median uptime. Name everything in the
+ top 7/8 Fast, and only the top 1/2 gets to be a Guard.
+ - Authoritative dirservers no longer require an open connection from
+ a server to consider him "reachable". We need this change because
+ when we add new auth dirservers, old servers won't know not to
+ hang up on them.
+ - Dir authorities now do their own external reachability testing
+ of each server, and only list as running the ones they found to
+ be reachable. We also send back warnings to the server's logs if
+ it uploads a descriptor that we already believe is unreachable.
+ - If we as a directory mirror don't know of any v1 directory
+ authorities, then don't try to cache any v1 directories.
+
+ o New controller protocol:
+ - Revised controller protocol (version 1) that uses ascii rather
+ than binary. Add supporting libraries in python and java and
+ c# so you can use the controller from your applications without
+ caring how our protocol works.
+ - Allow the DEBUG controller event to work again. Mark certain log
+ entries as "don't tell this to controllers", so we avoid cycles.
+ - New controller function "getinfo accounting", to ask how
+ many bytes we've used in this time period.
+ - Add a "RESETCONF" command so you can set config options like
+ AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
+ a config option in the torrc with no value, then it clears it
+ entirely (rather than setting it to its default).
+ - Add a "GETINFO config-file" to tell us where torrc is.
+ - Implement some more GETINFO goodness: expose guard nodes, config
+ options, getinfo keys.
+ - Add a QUIT command for the controller (when using it manually).
+ - Add a new function to "change pseudonyms" -- that is, to stop
+ using any currently-dirty circuits for new streams, so we don't
+ link new actions to old actions. Currently it's only called on
+ HUP (or SIGNAL RELOAD).
+ - If we would close a stream early (e.g. it asks for a .exit that
+ we know would refuse it) but the LeaveStreamsUnattached config
+ option is set by the controller, then don't close it.
+ - Add a new controller event type that allows controllers to get
+ all server descriptors that were uploaded to a router in its role
+ as authoritative dirserver.
+ - New controller option "getinfo desc/all-recent" to fetch the
+ latest server descriptor for every router that Tor knows about.
+ - Fix the controller's "attachstream 0" command to treat conn like
+ it just connected, doing address remapping, handling .exit and
+ .onion idioms, and so on. Now we're more uniform in making sure
+ that the controller hears about new and closing connections.
+ - Permit transitioning from ORPort==0 to ORPort!=0, and back, from
+ the controller. Also, rotate dns and cpu workers if the controller
+ changes options that will affect them; and initialize the dns
+ worker cache tree whether or not we start out as a server.
+ - New controller signal NEWNYM that makes new application requests
+ use clean circuits.
+ - Add a new circuit purpose 'controller' to let the controller ask
+ for a circuit that Tor won't try to use. Extend the EXTENDCIRCUIT
+ controller command to let you specify the purpose if you're starting
+ a new circuit. Add a new SETCIRCUITPURPOSE controller command to
+ let you change a circuit's purpose after it's been created.
+ - Let the controller ask for GETINFO dir/server/foo so it can ask
+ directly rather than connecting to the dir port.
+ - Let the controller tell us about certain router descriptors
+ that it doesn't want Tor to use in circuits. Implement
+ SETROUTERPURPOSE and modify +POSTDESCRIPTOR to do this.
+ - When the controller's *setconf commands fail, collect an error
+ message in a string and hand it back to the controller.
+ - Allow "getinfo dir/status/foo" to work, as long as your DirPort
+ is enabled. (This is a hack, and will be fixed in 0.1.2.x.)
+
+ o Scalability, resource management, and performance:
+ - When we're a server, a client asks for an old-style directory,
+ and our write bucket is empty, don't give it to him. This way
+ small servers can continue to serve the directory *sometimes*,
+ without getting overloaded.
+ - Be more conservative about whether to advertise our DirPort.
+ The main change is to not advertise if we're running at capacity
+ and either a) we could hibernate or b) our capacity is low and
+ we're using a default DirPort.
+ - Compress exit policies even more -- look for duplicate lines
+ and remove them.
+ - Generate 18.0.0.0/8 address policy format in descs when we can;
+ warn when the mask is not reducible to a bit-prefix.
+ - Fix a major load balance bug: we were round-robining in 16 KB
+ chunks, and servers with bandwidthrate of 20 KB, while downloading
+ a 600 KB directory, would starve their other connections. Now we
+ try to be a bit more fair.
+ - On platforms that don't have getrlimit (like Windows), we were
+ artificially constraining ourselves to a max of 1024
+ connections. Now just assume that we can handle as many as 15000
+ connections. Hopefully this won't cause other problems.
+ - Tor servers with dynamic IP addresses were needing to wait 18
+ hours before they could start doing reachability testing using
+ the new IP address and ports. This is because they were using
+ the internal descriptor to learn what to test, yet they were only
+ rebuilding the descriptor once they decided they were reachable.
+ - Spread the authdirservers' reachability testing over the entire
+ testing interval, so we don't try to do 500 TLS's at once every
+ 20 minutes.
+ - Reduce memory requirements in our structs by changing the order
+ of fields.
+ - There used to be two ways to specify your listening ports in a
+ server descriptor: on the "router" line and with a separate "ports"
+ line. Remove support for the "ports" line.
+ - Replace balanced trees with hash tables: this should make stuff
+ significantly faster.
+ - Many other CPU and memory improvements.
+ - Inline bottleneck smartlist functions; use fast versions by default.
+ - Add a "Map from digest to void*" abstraction digestmap_t so we
+ can do less hex encoding/decoding. Use it in router_get_by_digest()
+ to resolve a performance bottleneck.
+ - Allow tor_gzip_uncompress to extract as much as possible from
+ truncated compressed data. Try to extract as many
+ descriptors as possible from truncated http responses (when
+ DIR_PURPOSE_FETCH_ROUTERDESC).
+ - Make circ->onionskin a pointer, not a static array. moria2 was using
+ 125000 circuit_t's after it had been up for a few weeks, which
+ translates to 20+ megs of wasted space.
+ - The private half of our EDH handshake keys are now chosen out
+ of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.)
+ - Some Tor servers process billions of cells per day. These statistics
+ need to be uint64_t's.
+ - We weren't cannibalizing circuits correctly for
+ CIRCUIT_PURPOSE_C_ESTABLISH_REND and
+ CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
+ build those from scratch. This should make hidden services faster.
+ - Predict required circuits better, with an eye toward making hidden
+ services faster on the service end.
+ - We were marking servers down when they could not answer every piece
+ of the directory request we sent them. This was far too harsh.
+ - Stop doing the complex voodoo overkill checking for insecure
+ Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy.
+ - Clean up more of the OpenSSL memory when exiting, so we can detect
+ memory leaks better.
+ - Do round-robin writes of at most 16 kB per write. This might be
+ more fair on loaded Tor servers.
+ - When a Tor server's IP changes (e.g. from a dyndns address),
+ upload a new descriptor so clients will learn too.
+ - Really busy servers were keeping enough circuits open on stable
+ connections that they were wrapping around the circuit_id
+ space. (It's only two bytes.) This exposed a bug where we would
+ feel free to reuse a circuit_id even if it still exists but has
+ been marked for close. Try to fix this bug. Some bug remains.
+
+ o Other bugfixes and improvements:
+ - When we fail to bind or listen on an incoming or outgoing
+ socket, we now close it before refusing, rather than just
+ leaking it. (Thanks to Peter Palfrader for finding.)
+ - Regenerate our local descriptor if it's dirty and we try to use
+ it locally (e.g. if it changes during reachability detection).
+ - Fix a file descriptor leak in start_daemon().
+ - On Windows, you can't always reopen a port right after you've
+ closed it. So change retry_listeners() to only close and re-open
+ ports that have changed.
+ - Newly bootstrapped Tor networks couldn't establish hidden service
+ circuits until they had nodes with high uptime. Be more tolerant.
+ - Workaround a problem with some http proxies where they refuse GET
+ requests that specify "Content-Length: 0" (reported by Adrian).
+ - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can
+ get a better idea of why their circuits failed. Not used yet.
+ - Recover better from TCP connections to Tor servers that are
+ broken but don't tell you (it happens!); and rotate TLS
+ connections once a week.
+ - Fix a scary-looking but apparently harmless bug where circuits
+ would sometimes start out in state CIRCUIT_STATE_OR_WAIT at
+ servers, and never switch to state CIRCUIT_STATE_OPEN.
+ - Check for even more Windows version flags when writing the platform
+ string in server descriptors, and note any we don't recognize.
+ - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells.
+ We don't use them yet, but maybe one day our DNS resolver will be
+ able to discover them.
+ - Let people type "tor --install" as well as "tor -install" when they
+ want to make it an NT service.
+ - Correct the man page entry on TrackHostExitsExpire.
+ - Looks like we were never delivering deflated (i.e. compressed)
+ running-routers lists, even when asked. Oops.
+ - We were leaking some memory every time the client changes IPs.
+ - Never call free() on tor_malloc()d memory. This will help us
+ use dmalloc to detect memory leaks.
+ - Do not use unaligned memory access on alpha, mips, or mipsel.
+ It *works*, but is very slow, so we treat them as if it doesn't.
+ - It turns out we couldn't bootstrap a network since we added
+ reachability detection in 0.1.0.1-rc. Good thing the Tor network
+ has never gone down. Add an AssumeReachable config option to let
+ servers and dirservers bootstrap. When we're trying to build a
+ high-uptime or high-bandwidth circuit but there aren't enough
+ suitable servers, try being less picky rather than simply failing.
+ - Check [X-]Forwarded-For headers in HTTP requests when generating
+ log messages. This lets people run dirservers (and caches) behind
+ Apache but still know which IP addresses are causing warnings.
+
+ o Config option fixes:
+ - Add a new config option ExitPolicyRejectPrivate which defaults to
+ 1. This means all exit policies will begin with rejecting private
+ addresses, unless the server operator explicitly turns it off.
+ - Bump the default bandwidthrate to 3 MB, and burst to 6 MB.
+ - Add new ReachableORAddresses and ReachableDirAddresses options
+ that understand address policies. FascistFirewall is now a synonym
+ for "ReachableORAddresses *:443", "ReachableDirAddresses *:80".
+ - Start calling it FooListenAddress rather than FooBindAddress,
+ since few of our users know what it means to bind an address
+ or port.
+ - If the user gave Tor an odd number of command-line arguments,
+ we were silently ignoring the last one. Now we complain and fail.
+ This wins the oldest-bug prize -- this bug has been present since
+ November 2002, as released in Tor 0.0.0.
+ - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your
+ torrc rather than "HiddenServicePort 6667 127.0.0.1:6668",
+ it would silently ignore the 6668.
+ - If we get a linelist or linelist_s config option from the torrc,
+ e.g. ExitPolicy, and it has no value, warn and skip rather than
+ silently resetting it to its default.
+ - Setconf was appending items to linelists, not clearing them.
+ - Add MyFamily to torrc.sample in the server section.
+ - Make ContactInfo mandatory for authoritative directory servers.
+ - Put nicknames on the DirServer line, so we can refer to them
+ without requiring all our users to memorize their IP addresses.
+ - MaxConn has been obsolete for a while now. Document the ConnLimit
+ config option, which is a *minimum* number of file descriptors
+ that must be available else Tor refuses to start.
+ - Get rid of IgnoreVersion undocumented config option, and make us
+ only warn, never exit, when we're running an obsolete version.
+ - Make MonthlyAccountingStart config option truly obsolete now.
+ - Let auth dir servers start without specifying an Address config
+ option.
+ - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to
+ reflect the updated flags in our v2 dir protocol.
+
+ o Config option features:
+ - Add a new config option FastFirstHopPK (on by default) so clients
+ do a trivial crypto handshake for their first hop, since TLS has
+ already taken care of confidentiality and authentication.
+ - Let the user set ControlListenAddress in the torrc. This can be
+ dangerous, but there are some cases (like a secured LAN) where it
+ makes sense.
+ - New config options to help controllers: FetchServerDescriptors
+ and FetchHidServDescriptors for whether to fetch server
+ info and hidserv info or let the controller do it, and
+ PublishServerDescriptor and PublishHidServDescriptors.
+ - Also let the controller set the __AllDirActionsPrivate config
+ option if you want all directory fetches/publishes to happen via
+ Tor (it assumes your controller bootstraps your circuits).
+ - "HardwareAccel" config option: support for crypto hardware
+ accelerators via OpenSSL. Off by default, until we find somebody
+ smart who can test it for us. (It appears to produce seg faults
+ in at least some cases.)
+ - New config option "AuthDirRejectUnlisted" for auth dirservers as
+ a panic button: if we get flooded with unusable servers we can
+ revert to only listing servers in the approved-routers file.
+ - Auth dir servers can now mark a fingerprint as "!reject" or
+ "!invalid" in the approved-routers file (as its nickname), to
+ refuse descriptors outright or include them but marked as invalid.
+ - Add a new config option TestSocks so people can see if their
+ applications are using socks4, socks4a, socks5-with-ip, or
+ socks5-with-fqdn. This way they don't have to keep mucking
+ with tcpdump and wondering if something got cached somewhere.
+ - Add "private:*" as an alias in configuration for policies. Now
+ you can simplify your exit policy rather than needing to list
+ every single internal or nonroutable network space.
+ - Accept "private:*" in routerdesc exit policies; not generated yet
+ because older Tors do not understand it.
+ - Dirservers can now reject/invalidate by key and IP, with the
+ config options "AuthDirInvalid" and "AuthDirReject". This is
+ useful since currently we automatically list servers as running
+ and usable even if we know they're jerks.
+ - Add configuration option "V1AuthoritativeDirectory 1" which
+ moria1, moria2, and tor26 have set.
+ - Implement an option, VirtualAddrMask, to set which addresses
+ get handed out in response to mapaddress requests. This works
+ around a bug in tsocks where 127.0.0.0/8 is never socksified.
+ - Add a new config option FetchUselessDescriptors, off by default,
+ for when you plan to run "exitlist" on your client and you want
+ to know about even the non-running descriptors.
+ - SocksTimeout: How long do we let a socks connection wait
+ unattached before we fail it?
+ - CircuitBuildTimeout: Cull non-open circuits that were born
+ at least this many seconds ago.
+ - CircuitIdleTimeout: Cull open clean circuits that were born
+ at least this many seconds ago.
+ - New config option SafeSocks to reject all application connections
+ using unsafe socks protocols. Defaults to off.
+
+ o Improved and clearer log messages:
+ - Reduce clutter in server logs. We're going to try to make
+ them actually usable now. New config option ProtocolWarnings that
+ lets you hear about how _other Tors_ are breaking the protocol. Off
+ by default.
+ - Divide log messages into logging domains. Once we put some sort
+ of interface on this, it will let people looking at more verbose
+ log levels specify the topics they want to hear more about.
+ - Provide dire warnings to any users who set DirServer; move it out
+ of torrc.sample and into torrc.complete.
+ - Make the log message less scary when all the dirservers are
+ temporarily unreachable.
+ - When tor_socketpair() fails in Windows, give a reasonable
+ Windows-style errno back.
+ - Improve tor_gettimeofday() granularity on windows.
+ - We were printing the number of idle dns workers incorrectly when
+ culling them.
+ - Handle duplicate lines in approved-routers files without warning.
+ - We were whining about using socks4 or socks5-with-local-lookup
+ even when it's an IP in the "virtual" range we designed exactly
+ for this case.
+ - Check for named servers when looking them up by nickname;
+ warn when we're calling a non-named server by its nickname;
+ don't warn twice about the same name.
+ - Downgrade the dirserver log messages when whining about
+ unreachability.
+ - Correct "your server is reachable" log entries to indicate that
+ it was self-testing that told us so.
+ - If we're trying to be a Tor server and running Windows 95/98/ME
+ as a server, explain that we'll likely crash.
+ - Provide a more useful warn message when our onion queue gets full:
+ the CPU is too slow or the exit policy is too liberal.
+ - Don't warn when we receive a 503 from a dirserver/cache -- this
+ will pave the way for them being able to refuse if they're busy.
+ - When we fail to bind a listener, try to provide a more useful
+ log message: e.g., "Is Tor already running?"
+ - Only start testing reachability once we've established a
+ circuit. This will make startup on dir authorities less noisy.
+ - Don't try to upload hidden service descriptors until we have
+ established a circuit.
+ - Tor didn't warn when it failed to open a log file.
+ - Warn when listening on a public address for socks. We suspect a
+ lot of people are setting themselves up as open socks proxies,
+ and they have no idea that jerks on the Internet are using them,
+ since they simply proxy the traffic into the Tor network.
+ - Give a useful message when people run Tor as the wrong user,
+ rather than telling them to start chowning random directories.
+ - Fix a harmless bug that was causing Tor servers to log
+ "Got an end because of misc error, but we're not an AP. Closing."
+ - Fix wrong log message when you add a "HiddenServiceNodes" config
+ line without any HiddenServiceDir line (reported by Chris Thomas).
+ - Authdirs now stop whining so loudly about bad descriptors that
+ they fetch from other dirservers. So when there's a log complaint,
+ it's for sure from a freshly uploaded descriptor.
+ - When logging via syslog, include the pid whenever we provide
+ a log entry. Suggested by Todd Fries.
+ - When we get an EOF or a timeout on a directory connection, note
+ how many bytes of serverdesc we are dropping. This will help
+ us determine whether it is smart to parse incomplete serverdesc
+ responses.
+ - When we're shutting down and we do something like try to post a
+ server descriptor or rendezvous descriptor, don't complain that
+ we seem to be unreachable. Of course we are, we're shutting down.
+ - Change log line for unreachability to explicitly suggest /etc/hosts
+ as the culprit. Also make it clearer what IP address and ports we're
+ testing for reachability.
+ - Put quotes around user-supplied strings when logging so users are
+ more likely to realize if they add bad characters (like quotes)
+ to the torrc.
+ - NT service patch from Matt Edman to improve error messages on Win32.
+ - Log server fingerprint on startup, so new server operators don't
+ have to go hunting around their filesystem for it.
+
Changes in version 0.1.0.17 - 2006-02-17
o Crash bugfixes on 0.1.0.x:
- When servers with a non-zero DirPort came out of hibernation,