From 61ac80a9147c06fae616aee4a53dce1e18ebd7c2 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 29 May 2008 14:39:56 +0000 Subject: [PATCH] Ouch. We were sometimes getting openssl compression by default. This is pointless for us, since the overwhelming majority of our cells are encrypted, full of compressed data, or both. This is also harmful, since doing piles of compression is not cheap. Backport candidate once more tested. svn:r14830 --- ChangeLog | 3 +++ src/common/tortls.c | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index cfe5e3b006..47faaaa3b5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -107,6 +107,9 @@ Changes in version 0.2.1.1-alpha - 2008-??-?? - New configure/torrc options (--enable-geoip-stats, DirRecordUsageByCountry) to record how many IPs we've served directory info to in each country code. + - Never use OpenSSL compression: it wastes RAM and CPU trying to + compress cells, which are basically all encrypted, compressed, or + both. o Minor features (security): - Reject requests for reverse-dns lookup of names in a private diff --git a/src/common/tortls.c b/src/common/tortls.c index b931176973..752ff6f8f8 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -564,6 +564,10 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); #endif SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE); + /* Don't actually allow compression; it uses ram and time, but the data + * we transmit is all encrypted anyway. */ + if (result->ctx->comp_methods) + result->ctx->comp_methods = NULL; #ifdef SSL_MODE_RELEASE_BUFFERS SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS); #endif