[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r14671: If the user has an openssl that supports my "release buffer (in tor/trunk: . src/common)
Author: nickm
Date: 2008-05-19 14:13:00 -0400 (Mon, 19 May 2008)
New Revision: 14671
Modified:
tor/trunk/ChangeLog
tor/trunk/src/common/tortls.c
Log:
If the user has an openssl that supports my "release buffer ram" patch, use it.
Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog 2008-05-19 17:22:22 UTC (rev 14670)
+++ tor/trunk/ChangeLog 2008-05-19 18:13:00 UTC (rev 14671)
@@ -91,6 +91,10 @@
this new scheme when the server supports it.
- Add a new V3AuthUseLegacyKey option to make it easier for authorities
to change their identity keys if they have to.
+ - If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
+ patch to their OpenSSL, turn it on to save memory on servers. This
+ patch will (with any luck) get included in a mainline distribution
+ before too long.
o Minor features (security):
- Reject requests for reverse-dns lookup of names in a private
Modified: tor/trunk/src/common/tortls.c
===================================================================
--- tor/trunk/src/common/tortls.c 2008-05-19 17:22:22 UTC (rev 14670)
+++ tor/trunk/src/common/tortls.c 2008-05-19 18:13:00 UTC (rev 14671)
@@ -564,6 +564,9 @@
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
#endif
SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+#ifdef SSL_MODE_RELEASE_BUFFERS
+ SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
goto error;
X509_free(cert); /* We just added a reference to cert. */