Merge commit 'origin/maint-0.2.1'

This commit is contained in:
Nick Mathewson 2010-04-15 10:35:09 -04:00
commit c38fa93ad1
2 changed files with 11 additions and 4 deletions

View File

@ -0,0 +1,5 @@
o Major bugfixes:
- Fix SSL renegotiation behavior on OpenSSL versions that claim to
be earlier than 0.9.8m, but which have in reality backported huge
swaths of 0.9.8m or 0.9.8n renegotiation behavior. Possibly fix
for some cases of bug 1346.

View File

@ -368,8 +368,8 @@ tor_tls_init(void)
* OpenSSL 0.9.8l. * OpenSSL 0.9.8l.
* *
* No, we can't just set flag 0x0010 everywhere. It breaks Tor with * No, we can't just set flag 0x0010 everywhere. It breaks Tor with
* OpenSSL 1.0.0beta3 and later. No, we can't just set option * OpenSSL 1.0.0beta3 and later. On the other hand, we might be able to
* 0x00040000L everywhere: before 0.9.8m, it meant something else. * set option 0x00040000L everywhere.
* *
* No, we can't simply detect whether the flag or the option is present * No, we can't simply detect whether the flag or the option is present
* in the headers at build-time: some vendors (notably Apple) like to * in the headers at build-time: some vendors (notably Apple) like to
@ -393,10 +393,12 @@ tor_tls_init(void)
} else if (version < 0x009080c0L) { } else if (version < 0x009080c0L) {
log_notice(LD_GENERAL, "OpenSSL %s [%lx] looks like it's older than " log_notice(LD_GENERAL, "OpenSSL %s [%lx] looks like it's older than "
"0.9.8l, but some vendors have backported 0.9.8l's " "0.9.8l, but some vendors have backported 0.9.8l's "
"renegotiation code to earlier versions. I'll set " "renegotiation code to earlier versions, and some have "
"SSL3_FLAGS just to be safe.", "backported the code from 0.9.8m or 0.9.8n. I'll set both "
"SSL3_FLAGS and SSL_OP just to be safe.",
SSLeay_version(SSLEAY_VERSION), version); SSLeay_version(SSLEAY_VERSION), version);
use_unsafe_renegotiation_flag = 1; use_unsafe_renegotiation_flag = 1;
use_unsafe_renegotiation_op = 1;
} else { } else {
log_info(LD_GENERAL, "OpenSSL %s has version %lx", log_info(LD_GENERAL, "OpenSSL %s has version %lx",
SSLeay_version(SSLEAY_VERSION), version); SSLeay_version(SSLEAY_VERSION), version);