[tor-commits] [tor/master] Only disable cert chaining on the first TLS handshake
nickm at torproject.org
nickm at torproject.org
Thu May 10 19:58:25 UTC 2012
commit f0212197cccf461e431d6807a94ea0fdc411e179
Author: Nick Mathewson <nickm at torproject.org>
Date: Fri Apr 27 12:13:56 2012 -0400
Only disable cert chaining on the first TLS handshake
If the client uses a v2 cipherlist on the renegotiation handshake,
it looks as if they could fail to get a good cert chain from the
server, since they server would re-disable certificate chaining.
This patch makes it so the code that make the server side of the
first v2 handshake special can get called only once.
Fix for 4591; bugfix on 0.2.0.20-rc.
---
changes/bug4591 | 6 ++++++
src/common/tortls.c | 4 +++-
2 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/changes/bug4591 b/changes/bug4591
new file mode 100644
index 0000000..59b25a5
--- /dev/null
+++ b/changes/bug4591
@@ -0,0 +1,6 @@
+ o Minor bugfixes:
+ - If the client fails to set a reasonable set of ciphersuites
+ during its v2 handshake renegotiation, allow the renegotiation
+ to continue nevertheless (i.e., send all the required
+ certificates). Fix for bug 4591; bugfix on 0.2.0.20-rc.
+
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 4c9d218..abdd411 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -965,7 +965,9 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val)
/* Now check the cipher list. */
if (tor_tls_client_is_using_v2_ciphers(ssl, ADDR(tls))) {
- /*XXXX_TLS keep this from happening more than once! */
+ if (tls->wasV2Handshake)
+ return; /* We already turned this stuff off for the first handshake;
+ * This is a renegotiation. */
/* Yes, we're casting away the const from ssl. This is very naughty of us.
* Let's hope openssl doesn't notice! */
More information about the tor-commits
mailing list