[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r16725: {tor} Backport r15821 to 0.2.0: Disallow session resumption during (in tor/branches/tor-0_2_0-patches: . doc src/common)
Author: nickm
Date: 2008-09-01 18:00:07 -0400 (Mon, 01 Sep 2008)
New Revision: 16725
Modified:
tor/branches/tor-0_2_0-patches/ChangeLog
tor/branches/tor-0_2_0-patches/doc/TODO.020
tor/branches/tor-0_2_0-patches/src/common/tortls.c
Log:
Backport r15821 to 0.2.0: Disallow session resumption during renegotiation.
Modified: tor/branches/tor-0_2_0-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_2_0-patches/ChangeLog 2008-09-01 21:24:25 UTC (rev 16724)
+++ tor/branches/tor-0_2_0-patches/ChangeLog 2008-09-01 22:00:07 UTC (rev 16725)
@@ -17,6 +17,11 @@
an alias for the actually-working --with-openssl-dir option. Fix the
help documentation to recommend --with-openssl-dir. Based on a patch
by "Dave". Bugfix on 0.2.0.1-alpha.
+ - Disallow session resumption attempts during the renegotiation
+ stage of the v2 handshake protocol. Clients should never be
+ trying session resumption at this point, but apparently some
+ did, in ways that caused the handshake to fail. Bugfix on
+ 0.2.0.20-rc. Bug found by Geoff Goodell.
Changes in version 0.2.0.30 - 2008-07-15
Modified: tor/branches/tor-0_2_0-patches/doc/TODO.020
===================================================================
--- tor/branches/tor-0_2_0-patches/doc/TODO.020 2008-09-01 21:24:25 UTC (rev 16724)
+++ tor/branches/tor-0_2_0-patches/doc/TODO.020 2008-09-01 22:00:07 UTC (rev 16725)
@@ -3,13 +3,13 @@
description of the patch.)
Backport items for 0.2.0:
- - r14247: tor-spec and dir-spec updates [just backport the whole files]
+ X r14247: tor-spec and dir-spec updates [just backport the whole files]
Backport for 0.2.0 once better tested:
d r14830: disable openssl compression.
- r15699,15700: react quickly to readiness of rendezvous circuits.
- - r15821: fix bug related to TLS session negotiation.
- - r16136: prevent circid collision. [Also backport to 0.1.2.x??]
+ o r15821: fix bug related to TLS session negotiation.
+ o r16136: prevent circid collision. [Also backport to 0.1.2.x??]
- r16143: generate stream close events from connection_edge_destroy().
- r16450: open /dev/pf before dropping privileges.
- r16605: relays reject risky extend cells.
Modified: tor/branches/tor-0_2_0-patches/src/common/tortls.c
===================================================================
--- tor/branches/tor-0_2_0-patches/src/common/tortls.c 2008-09-01 21:24:25 UTC (rev 16724)
+++ tor/branches/tor-0_2_0-patches/src/common/tortls.c 2008-09-01 22:00:07 UTC (rev 16725)
@@ -564,6 +564,11 @@
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
#endif
SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+ SSL_CTX_set_options(result->ctx,
+ SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
goto error;
X509_free(cert); /* We just added a reference to cert. */