Ouch. We were sometimes getting openssl compression by default. This is pointless for us, since the overwhelming majority of our cells are encrypted, full of compressed data, or both. This is also harmful, since doing piles of compression is not cheap. Backport candidate once more tested.

svn:r14830
2024-11-27 13:53:31 +01:00 · 2008-05-29 14:39:56 +00:00 · 2008-05-29 14:39:56 +00:00 · 61ac80a914
commit 61ac80a914
parent 3a469018e5
2 changed files with 7 additions and 0 deletions
--- a/3
+++ b/3
@ -107,6 +107,9 @@ Changes in version 0.2.1.1-alpha - 2008-??-??
    - New configure/torrc options (--enable-geoip-stats,
      DirRecordUsageByCountry) to record how many IPs we've served directory
      info to in each country code.
+    - Never use OpenSSL compression: it wastes RAM and CPU trying to
+      compress cells, which are basically all encrypted, compressed, or
+      both.

  o Minor features (security):
    - Reject requests for reverse-dns lookup of names in a private
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@ -564,6 +564,10 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
  SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 #endif
  SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+  /* Don't actually allow compression; it uses ram and time, but the data
+   * we transmit is all encrypted anyway. */
+  if (result->ctx->comp_methods)
+    result->ctx->comp_methods = NULL;
 #ifdef SSL_MODE_RELEASE_BUFFERS
  SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif