mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-14 07:03:44 +01:00
r7056@Kushana: nickm | 2006-08-08 23:40:53 -0700
Add a comment about v0 fallback approach. Why did we dislike discriminating on X.509 certs again? svn:r6996
This commit is contained in:
parent
070d5555d2
commit
8b2b28a5ef
@ -138,8 +138,8 @@ when do we rotate which keys (tls, link, etc)?
|
|||||||
additional fields to existing structures; implementations are constrained
|
additional fields to existing structures; implementations are constrained
|
||||||
to ignore fields they do not expect.
|
to ignore fields they do not expect.
|
||||||
|
|
||||||
Parties negotiate OR connection versions as described below in section
|
Parties negotiate OR connection versions as described below in sections
|
||||||
|
4.1 and 4.2.
|
||||||
|
|
||||||
2. Connections
|
2. Connections
|
||||||
|
|
||||||
@ -305,13 +305,22 @@ when do we rotate which keys (tls, link, etc)?
|
|||||||
0 when the other side is recognized as a router running version
|
0 when the other side is recognized as a router running version
|
||||||
0.1.2.??-alpha or earlier.
|
0.1.2.??-alpha or earlier.
|
||||||
|
|
||||||
If a server finds that it wants to send a cell (for example because a
|
[If a server finds that it wants to send a cell (for example because a
|
||||||
circuit wants to extend to that client, and the TLS connection
|
circuit wants to extend to that client, and the TLS connection
|
||||||
is already established) yet no cell has arrived yet, we can't
|
is already established) yet no cell has arrived yet, we can't
|
||||||
distinguish between a version 0 client and a slow network. We can't
|
distinguish between a version 0 client and a slow network. We can't
|
||||||
assume that the other side approves of version 0, so we can't just
|
assume that the other side approves of version 0, so we can't just
|
||||||
start using version 0. Perhaps the right answer is to then launch a
|
start using version 0. Perhaps the right answer is to then launch a
|
||||||
new TLS connection because you don't have a usable one after all?
|
new TLS connection because you don't have a usable one after all? -RD]
|
||||||
|
|
||||||
|
[That would seem to be thrashy. Let's see if we can do better. Remember,
|
||||||
|
normal v0 clients always send something after connecting, so if we have
|
||||||
|
had a connection for a while and gotten nothing over it, we could get away
|
||||||
|
with assuming it's bad. Alternatively, we could identify V0 clients by
|
||||||
|
the OU=Tor field in the certificates: we don't check for it, and we never
|
||||||
|
documented it. We might break other people's clients by sending them
|
||||||
|
hello cells, but only if those clients are nonconformant. Am I right?
|
||||||
|
In any case, this seems way more reliable. -NM]
|
||||||
|
|
||||||
5. Circuit management
|
5. Circuit management
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user