Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge remote-tracking branch 'origin/maint-0.2.2'

Nick Mathewson 12 years ago
parent
75b72bf621 6d85a79653
commit
329e1c65d3
2 changed files with 21 additions and 0 deletions
Split View Show Diff Stats
  1. 6 0
      changes/bug6033
  2. 15 0
      src/common/tortls.c

+ 6 - 0
changes/bug6033
View File 

@@ -0,0 +1,6 @@
 
+  o Major bugfixes:
 
+    - Work around a bug in OpenSSL that broke renegotiation with
 
+      TLS 1.1 and TLS 1.2.  Without this workaround, all attempts
 
+      to speak the v2 Tor network protocol when both sides were
 
+      using OpenSSL 1.0.1 would fail.  Fix for bug 6033, which is
 
+      not a bug in Tor.

+ 15 - 0
src/common/tortls.c
View File 

@@ -1172,6 +1172,21 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
 
     goto error;
 
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 
 
+  /* Disable TLS1.1 and TLS1.2 if they exist.  We need to do this to
 
+   * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
 
+   * June 2012), wherein renegotiating while using one of these TLS
 
+   * protocols will cause the client to send a TLS 1.0 ServerHello
 
+   * rather than a ServerHello written with the appropriate protocol
 
+   * version.  Once some version of OpenSSL does TLS1.1 and TLS1.2
 
+   * renegotiation properly, we can turn them back on when built with
 
+   * that version. */
 
+#ifdef SSL_OP_NO_TLSv1_2
 
+  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
 
+#endif
 
+#ifdef SSL_OP_NO_TLSv1_1
 
+  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
 
+#endif
 
+
 
   if (
 
 #ifdef DISABLE_SSL3_HANDSHAKE
 
       1 ||