13 роки тому · 62ec584a30
--- a/changes/bug4014
+++ b/changes/bug4014
@@ -0,0 +1,3 @@
 
															+  o Minor features:
														
 
															+    - Adjust the expiration time on our SSL session certificates to
														
 
															+      better match SSL certs seen in the wild. Resolves ticket 4014.
														
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -866,12 +866,14 @@ run_scheduled_events(time_t now)
 
															       now + DESCRIPTOR_FAILURE_RESET_INTERVAL;
														
 
															   }
														
 
															-  /** 1b. Every MAX_SSL_KEY_LIFETIME seconds, we change our TLS context. */
														
 
															+  /** 1b. Every MAX_SSL_KEY_LIFETIME_INTERNAL seconds, we change our
														
 
															+   * TLS context. */
														
 
															   if (!last_rotated_x509_certificate)
														
 
															     last_rotated_x509_certificate = now;
														
 
															-  if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME < now) {
														
 
															+  if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME_INTERNAL < now) {
														
 
															     log_info(LD_GENERAL,"Rotating tls context.");
														
 
															-    if (tor_tls_context_new(get_identity_key(), MAX_SSL_KEY_LIFETIME) < 0) {
														
 
															+    if (tor_tls_context_new(get_identity_key(),
														
 
															+                            MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
														
 
															       log_warn(LD_BUG, "Error reinitializing TLS context");
														
 
															       /* XXX is it a bug here, that we just keep going? -RD */
														
 
															     }
														
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -166,7 +166,9 @@
 
															 /** How often do we rotate onion keys? */
														
 
															 #define MIN_ONION_KEY_LIFETIME (7*24*60*60)
														
 
															 /** How often do we rotate TLS contexts? */
														
 
															-#define MAX_SSL_KEY_LIFETIME (2*60*60)
														
 
															+#define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60)
														
 
															+/** What expiry time shall we place on our SSL certs? */
														
 
															+#define MAX_SSL_KEY_LIFETIME_ADVERTISED (365*24*60*60)
														
 
															 /** How old do we allow a router to get before removing it
														
 
															  * from the router list? In seconds. */
														
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -458,7 +458,8 @@ init_keys(void)
 
															     }
														
 
															     set_identity_key(prkey);
														
 
															     /* Create a TLS context; default the client nickname to "client". */
														
 
															-    if (tor_tls_context_new(get_identity_key(), MAX_SSL_KEY_LIFETIME) < 0) {
														
 
															+    if (tor_tls_context_new(get_identity_key(),
														
 
															+                            MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
														
 
															       log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
														
 
															       return -1;
														
 
															     }
														
@@ -536,7 +537,8 @@ init_keys(void)
 
															   tor_free(keydir);
														
 
															   /* 3. Initialize link key and TLS context. */
														
 
															-  if (tor_tls_context_new(get_identity_key(), MAX_SSL_KEY_LIFETIME) < 0) {
														
 
															+  if (tor_tls_context_new(get_identity_key(),
														
 
															+                          MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
														
 
															     log_err(LD_GENERAL,"Error initializing TLS context");
														
 
															     return -1;
														
 
															   }