[or-cvs] r16725: {tor} Backport r15821 to 0.2.0: Disallow session resumption during (in tor/branches/tor-0_2_0-patches: . doc src/common)

nickm at seul.org nickm at seul.org
Mon Sep 1 22:00:07 UTC 2008 

Author: nickm
Date: 2008-09-01 18:00:07 -0400 (Mon, 01 Sep 2008)
New Revision: 16725

Modified:
   tor/branches/tor-0_2_0-patches/ChangeLog
   tor/branches/tor-0_2_0-patches/doc/TODO.020
   tor/branches/tor-0_2_0-patches/src/common/tortls.c
Log:
Backport r15821 to 0.2.0: Disallow session resumption during renegotiation.

Modified: tor/branches/tor-0_2_0-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_2_0-patches/ChangeLog	2008-09-01 21:24:25 UTC (rev 16724)
+++ tor/branches/tor-0_2_0-patches/ChangeLog	2008-09-01 22:00:07 UTC (rev 16725)
@@ -17,6 +17,11 @@
       an alias for the actually-working --with-openssl-dir option.  Fix the
       help documentation to recommend --with-openssl-dir.  Based on a patch
       by "Dave". Bugfix on 0.2.0.1-alpha.
+    - Disallow session resumption attempts during the renegotiation
+      stage of the v2 handshake protocol.  Clients should never be
+      trying session resumption at this point, but apparently some
+      did, in ways that caused the handshake to fail.  Bugfix on
+      0.2.0.20-rc.  Bug found by Geoff Goodell.
 
 
 Changes in version 0.2.0.30 - 2008-07-15

Modified: tor/branches/tor-0_2_0-patches/doc/TODO.020
===================================================================
--- tor/branches/tor-0_2_0-patches/doc/TODO.020	2008-09-01 21:24:25 UTC (rev 16724)
+++ tor/branches/tor-0_2_0-patches/doc/TODO.020	2008-09-01 22:00:07 UTC (rev 16725)
@@ -3,13 +3,13 @@
 description of the patch.)
 
 Backport items for 0.2.0:
-  - r14247: tor-spec and dir-spec updates [just backport the whole files]
+  X r14247: tor-spec and dir-spec updates [just backport the whole files]
 
 Backport for 0.2.0 once better tested:
   d r14830: disable openssl compression.
   - r15699,15700: react quickly to readiness of rendezvous circuits.
-  - r15821: fix bug related to TLS session negotiation.
-  - r16136: prevent circid collision.  [Also backport to 0.1.2.x??]
+  o r15821: fix bug related to TLS session negotiation.
+  o r16136: prevent circid collision.  [Also backport to 0.1.2.x??]
   - r16143: generate stream close events from connection_edge_destroy().
   - r16450: open /dev/pf before dropping privileges.
   - r16605: relays reject risky extend cells.

Modified: tor/branches/tor-0_2_0-patches/src/common/tortls.c
===================================================================
--- tor/branches/tor-0_2_0-patches/src/common/tortls.c	2008-09-01 21:24:25 UTC (rev 16724)
+++ tor/branches/tor-0_2_0-patches/src/common/tortls.c	2008-09-01 22:00:07 UTC (rev 16725)
@@ -564,6 +564,11 @@
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 #endif
   SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+  SSL_CTX_set_options(result->ctx,
+                      SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
   if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
     goto error;
   X509_free(cert); /* We just added a reference to cert. */

More information about the tor-commits mailing list