[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #11454 [Tor]: If two auth certs are both old but were generated nearby in time, we keep both
#11454: If two auth certs are both old but were generated nearby in time, we keep
both
------------------------+----------------------------------------
Reporter: arma | Owner:
Type: defect | Status: needs_review
Priority: normal | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version:
Resolution: | Keywords: 026-triaged-1, nickm-patch
Actual Points: | Parent ID:
Points: |
------------------------+----------------------------------------
Comment (by sysrqb):
Relatively quick review. The rewrite seems to solve this and #11457.
Thoughts:
- if the first cert in the list is very expired and all subsequent certs
are from the future, we don't remove it until we reach the future.
- I think similar scenario to #11457, where one cert is created then soon
after another is created, after two days all tors will discard the
original cert. if the authority then starts reusing the original, everyone
will re-request it every hour? This is much less bad than #11457, but it's
a side-effect of discarding unexpired, superseded certs.
- should we remember the signing key digest of the certs we download, and
not discard superseded certs which we redownload often?
- I wonder what other weird edge cases exist.
Minor consmetic changes
{{{
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index 7112282..83d1c69 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -498,7 +498,7 @@ trusted_dirs_remove_old_certs(void)
* Remove it. */
should_remove = 1;
} else if (next_cert_published + SUPERSEDED_CERT_LIFETIME < now) {
- /* Certificate has been superseded for OLD_CERT_LIFETIME.
+ /* Certificate has been superseded for SUPERSEDED_CERT_LIFETIME.
* Remove it.
*/
should_remove = 1;
@@ -512,7 +512,7 @@ trusted_dirs_remove_old_certs(void)
} DIGESTMAP_FOREACH_END;
#undef DEAD_CERT_LIFETIME
-#undef OLD_CERT_LIFETIME
+#undef SUPERSEDED_CERT_LIFETIME
trusted_dirs_flush_certs_to_disk();
}
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11454#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs