diff --git a/changes/bug5452 b/changes/bug5452
new file mode 100644
index 0000000000..8e1d9adf7b
--- /dev/null
+++ b/changes/bug5452
@@ -0,0 +1,4 @@
+ o Minor features:
+ - Check CircuitBuildTimeout and LearnCircuitBuildTimeout in
+ options_validate(); warn if LearnCircuitBuildTimeout is disabled
+ and CircuitBuildTimeout is set unreasonably low. Fixes bug 5452.
diff --git a/src/or/config.c b/src/or/config.c
index 1fc5806f11..09fcf000be 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -3320,6 +3320,13 @@ compute_publishserverdescriptor(or_options_t *options)
* expose more information than we're comfortable with. */
#define MIN_HEARTBEAT_PERIOD (30*60)
+/** Lowest recommended value for CircuitBuildTimeout; if it is set too low
+ * and LearnCircuitBuildTimeout is off, the failure rate for circuit
+ * construction may be very high. In that case, if it is set below this
+ * threshold emit a warning.
+ * */
+#define RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT (10)
+
/** Return 0 if every setting in options is reasonable, and a
* permissible transition from old_options. Else return -1.
* Should have no side effects, except for normalizing the contents of
@@ -3716,6 +3723,17 @@ options_validate(or_options_t *old_options, or_options_t *options,
options->LearnCircuitBuildTimeout = 0;
}
+ if (!(options->LearnCircuitBuildTimeout) &&
+ options->CircuitBuildTimeout < RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT) {
+ log_warn(LD_CONFIG,
+ "CircuitBuildTimeout is shorter (%d seconds) than recommended "
+ "(%d seconds), and LearnCircuitBuildTimeout is disabled. "
+ "If tor isn't working, raise this value or enable "
+ "LearnCircuitBuildTimeout.",
+ options->CircuitBuildTimeout,
+ RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT );
+ }
+
if (options->MaxCircuitDirtiness < MIN_MAX_CIRCUIT_DIRTINESS) {
log_warn(LD_CONFIG, "MaxCircuitDirtiness option is too short; "
"raising to %d seconds.", MIN_MAX_CIRCUIT_DIRTINESS);