|
|
@@ -15,9 +15,6 @@
|
|
|
/** How much clock skew do we tolerate when checking certificates for
|
|
|
* known routers? (sec) */
|
|
|
#define TIGHT_CERT_ALLOW_SKEW (90*60)
|
|
|
-/** How much clock skew do we tolerate when checking certificates for
|
|
|
- * unknown routers/clients? (sec) */
|
|
|
-#define LOOSE_CERT_ALLOW_SKEW (24*60*60)
|
|
|
|
|
|
static int connection_tls_finish_handshake(connection_t *conn);
|
|
|
static int connection_or_process_cells_from_inbuf(connection_t *conn);
|
|
|
@@ -369,11 +366,13 @@ connection_tls_finish_handshake(connection_t *conn) {
|
|
|
nickname, conn->address, conn->port);
|
|
|
return -1;
|
|
|
}
|
|
|
+#if 0
|
|
|
if(tor_tls_check_lifetime(conn->tls, LOOSE_CERT_ALLOW_SKEW)<0) {
|
|
|
- log_fn(LOG_WARN,"Other side '%s' (%s:%d) has a very highly skewed clock, or an expired certificate. Closing.",
|
|
|
+ log_fn(LOG_WARN,"Other side '%s' (%s:%d) has a very highly skewed clock, or an expired certificate. Closing.",
|
|
|
nickname, conn->address, conn->port);
|
|
|
return -1;
|
|
|
}
|
|
|
+#endif
|
|
|
log_fn(LOG_DEBUG,"The router's cert is valid.");
|
|
|
crypto_pk_get_digest(identity_rcvd, digest_rcvd);
|
|
|
|
|
|
@@ -394,7 +393,7 @@ connection_tls_finish_handshake(connection_t *conn) {
|
|
|
if (router_get_by_digest(digest_rcvd)) {
|
|
|
/* This is a known router; don't cut it slack with its clock skew. */
|
|
|
if(tor_tls_check_lifetime(conn->tls, TIGHT_CERT_ALLOW_SKEW)<0) {
|
|
|
- log_fn(LOG_WARN,"Router '%s' (%s:%d) has a skewed clock, or an expired certificate. Closing.",
|
|
|
+ log_fn(LOG_WARN,"Router '%s' (%s:%d) has a skewed clock, or an expired certificate; or else our clock is skewed. Closing.",
|
|
|
nickname, conn->address, conn->port);
|
|
|
return -1;
|
|
|
}
|
Nick Mathewson