Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

parameterize SSLKeyLifetime

no actual changes in behavior yet
Roger Dingledine 11 years ago
parent
e270a066a6
commit
599aeef9bc
3 changed files with 9 additions and 4 deletions
Split View Show Diff Stats
  1. 1 0
      src/or/config.c
  2. 3 2
      src/or/or.h
  3. 5 2
      src/or/router.c

+ 1 - 0
src/or/config.c
View File 

@@ -380,6 +380,7 @@ static config_var_t option_vars_[] = {
 
   V(SocksPolicy,                 LINELIST, NULL),
 
   VPORT(SocksPort,                   LINELIST, NULL),
 
   V(SocksTimeout,                INTERVAL, "2 minutes"),
 
+  V(SSLKeyLifetime,              INTERVAL, "365 days"),
 
   OBSOLETE("StatusFetchPeriod"),
 
   V(StrictNodes,                 BOOL,     "0"),
 
   OBSOLETE("SysLog"),

+ 3 - 2
src/or/or.h
View File 

@@ -177,8 +177,6 @@
 
 #define MIN_ONION_KEY_LIFETIME (7*24*60*60)
 
 /** How often do we rotate TLS contexts? */
 
 #define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60)
 
-/** What expiry time shall we place on our SSL certs? */
 
-#define MAX_SSL_KEY_LIFETIME_ADVERTISED (365*24*60*60)
 
 
 /** How old do we allow a router to get before removing it
 
  * from the router list? In seconds. */
 
@@ -4010,6 +4008,9 @@ typedef struct {
 
    */
 
   int DisableV2DirectoryInfo_;
 
 
+  /** What expiry time shall we place on our SSL certs? */
 
+  int SSLKeyLifetime;
 
+
 
 } or_options_t;
 
 
 /** Persistent state for an onion router, as saved to disk. */

+ 5 - 2
src/or/router.c
View File 

@@ -650,6 +650,7 @@ router_initialize_tls_context(void)
 
 {
 
   unsigned int flags = 0;
 
   const or_options_t *options = get_options();
 
+  int lifetime = options->SSLKeyLifetime;
 
   if (public_server_mode(options))
 
     flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER;
 
   if (options->TLSECGroup) {
 
@@ -659,11 +660,13 @@ router_initialize_tls_context(void)
 
       flags |= TOR_TLS_CTX_USE_ECDHE_P224;
 
   }
 
 
+  /* It's ok to pass lifetime in as an unsigned int, since
 
+   * config_parse_interval() checked it. */
 
   return tor_tls_context_init(flags,
 
                               get_tlsclient_identity_key(),
 
-                              server_mode(get_options()) ?
 
+                              server_mode(options) ?
 
                               get_server_identity_key() : NULL,
 
-                              MAX_SSL_KEY_LIFETIME_ADVERTISED);
 
+                              (unsigned int)lifetime);
 
 }
 
 
 /** Initialize all OR private keys, and the TLS context, as necessary.