From da6750033656f1f1dd3897a6a7db501bf1ecdee4 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 19 May 2008 18:13:00 +0000 Subject: If the user has an openssl that supports my "release buffer ram" patch, use it. svn:r14671 --- ChangeLog | 4 ++++ src/common/tortls.c | 3 +++ 2 files changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 50261119c..7351711a2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -91,6 +91,10 @@ Changes in version 0.2.1.1-alpha - 2008-??-?? this new scheme when the server supports it. - Add a new V3AuthUseLegacyKey option to make it easier for authorities to change their identity keys if they have to. + - If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS + patch to their OpenSSL, turn it on to save memory on servers. This + patch will (with any luck) get included in a mainline distribution + before too long. o Minor features (security): - Reject requests for reverse-dns lookup of names in a private diff --git a/src/common/tortls.c b/src/common/tortls.c index 48a139394..b93117697 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -564,6 +564,9 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); #endif SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE); +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS); +#endif if (cert && !SSL_CTX_use_certificate(result->ctx,cert)) goto error; X509_free(cert); /* We just added a reference to cert. */ -- cgit v1.2.3