Ouch. We were sometimes getting openssl compression by default. This is pointless for us, since the overwhelming majority of our cells are encrypted, full of compressed data, or both. This is also harmful, since doing piles of compression is not cheap. Backport candidate once more tested.

svn:r14830

ChangeLog

@@ -107,6 +107,9 @@ Changes in version 0.2.1.1-alpha - 2008-??-??
     - New configure/torrc options (--enable-geoip-stats,
       DirRecordUsageByCountry) to record how many IPs we've served directory
       info to in each country code.
+    - Never use OpenSSL compression: it wastes RAM and CPU trying to
+      compress cells, which are basically all encrypted, compressed, or
+      both.
 
   o Minor features (security):
     - Reject requests for reverse-dns lookup of names in a private

src/common/tortls.c

@@ -564,6 +564,10 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 #endif
   SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+  /* Don't actually allow compression; it uses ram and time, but the data
+   * we transmit is all encrypted anyway. */
+  if (result->ctx->comp_methods)
+    result->ctx->comp_methods = NULL;
 #ifdef SSL_MODE_RELEASE_BUFFERS
   SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif