From f0212197cccf461e431d6807a94ea0fdc411e179 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 27 Apr 2012 12:13:56 -0400 Subject: Only disable cert chaining on the first TLS handshake If the client uses a v2 cipherlist on the renegotiation handshake, it looks as if they could fail to get a good cert chain from the server, since they server would re-disable certificate chaining. This patch makes it so the code that make the server side of the first v2 handshake special can get called only once. Fix for 4591; bugfix on 0.2.0.20-rc. --- src/common/tortls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src/common') diff --git a/src/common/tortls.c b/src/common/tortls.c index 4c9d2188d..abdd411df 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -965,7 +965,9 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val) /* Now check the cipher list. */ if (tor_tls_client_is_using_v2_ciphers(ssl, ADDR(tls))) { - /*XXXX_TLS keep this from happening more than once! */ + if (tls->wasV2Handshake) + return; /* We already turned this stuff off for the first handshake; + * This is a renegotiation. */ /* Yes, we're casting away the const from ssl. This is very naughty of us. * Let's hope openssl doesn't notice! */ -- cgit v1.2.3