diff options
| author | Nick Mathewson <nickm@torproject.org> | 2010-04-15 10:35:09 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2010-04-15 10:35:09 -0400 |
| commit | c38fa93ad180e2d53f759821386d2b1dbff90100 (patch) | |
| tree | f4d597edced50ef9982027be535aa2e2d4b72a61 | |
| parent | c29977ce00fc70c96abfa6600b3d3ccb4939bad2 (diff) | |
| parent | 6ad09cc6afa4d620978b6b18f7f134d15903dcc1 (diff) | |
| download | tor-c38fa93ad180e2d53f759821386d2b1dbff90100.tar tor-c38fa93ad180e2d53f759821386d2b1dbff90100.tar.gz | |
Merge commit 'origin/maint-0.2.1'
| -rw-r--r-- | changes/use_ssl_option_everywhere | 5 | ||||
| -rw-r--r-- | src/common/tortls.c | 10 |
2 files changed, 11 insertions, 4 deletions
diff --git a/changes/use_ssl_option_everywhere b/changes/use_ssl_option_everywhere new file mode 100644 index 000000000..02adb3c8b --- /dev/null +++ b/changes/use_ssl_option_everywhere @@ -0,0 +1,5 @@ + o Major bugfixes: + - Fix SSL renegotiation behavior on OpenSSL versions that claim to + be earlier than 0.9.8m, but which have in reality backported huge + swaths of 0.9.8m or 0.9.8n renegotiation behavior. Possibly fix + for some cases of bug 1346. diff --git a/src/common/tortls.c b/src/common/tortls.c index b4984802f..df77fb066 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -368,8 +368,8 @@ tor_tls_init(void) * OpenSSL 0.9.8l. * * No, we can't just set flag 0x0010 everywhere. It breaks Tor with - * OpenSSL 1.0.0beta3 and later. No, we can't just set option - * 0x00040000L everywhere: before 0.9.8m, it meant something else. + * OpenSSL 1.0.0beta3 and later. On the other hand, we might be able to + * set option 0x00040000L everywhere. * * No, we can't simply detect whether the flag or the option is present * in the headers at build-time: some vendors (notably Apple) like to @@ -393,10 +393,12 @@ tor_tls_init(void) } else if (version < 0x009080c0L) { log_notice(LD_GENERAL, "OpenSSL %s [%lx] looks like it's older than " "0.9.8l, but some vendors have backported 0.9.8l's " - "renegotiation code to earlier versions. I'll set " - "SSL3_FLAGS just to be safe.", + "renegotiation code to earlier versions, and some have " + "backported the code from 0.9.8m or 0.9.8n. I'll set both " + "SSL3_FLAGS and SSL_OP just to be safe.", SSLeay_version(SSLEAY_VERSION), version); use_unsafe_renegotiation_flag = 1; + use_unsafe_renegotiation_op = 1; } else { log_info(LD_GENERAL, "OpenSSL %s has version %lx", SSLeay_version(SSLEAY_VERSION), version); |