Ouch. We were sometimes getting openssl compression by default. This is pointless for us, since the overwhelming majority of our cells are encrypted, full of compressed data, or both. This is also harmful, since doing piles of compression is not cheap. Backport candidate once more tested.

svn:r14830
This commit is contained in:
Nick Mathewson 2008-05-29 14:39:56 +00:00
parent 3a469018e5
commit 61ac80a914
2 changed files with 7 additions and 0 deletions

View File

@ -107,6 +107,9 @@ Changes in version 0.2.1.1-alpha - 2008-??-??
- New configure/torrc options (--enable-geoip-stats, - New configure/torrc options (--enable-geoip-stats,
DirRecordUsageByCountry) to record how many IPs we've served directory DirRecordUsageByCountry) to record how many IPs we've served directory
info to in each country code. info to in each country code.
- Never use OpenSSL compression: it wastes RAM and CPU trying to
compress cells, which are basically all encrypted, compressed, or
both.
o Minor features (security): o Minor features (security):
- Reject requests for reverse-dns lookup of names in a private - Reject requests for reverse-dns lookup of names in a private

View File

@ -564,6 +564,10 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
#endif #endif
SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE); SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
/* Don't actually allow compression; it uses ram and time, but the data
* we transmit is all encrypted anyway. */
if (result->ctx->comp_methods)
result->ctx->comp_methods = NULL;
#ifdef SSL_MODE_RELEASE_BUFFERS #ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS); SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif #endif