Commit 3a2d677f authored by Martin Peck's avatar Martin Peck Committed by Nick Mathewson
Browse files

Improved workaround for disabled OpenSSL renegotiation.

It turns out that OpenSSL 0.9.8m is likely to take a completely
different approach for reenabling renegotiation than OpenSSL 0.9.8l
did, so we need to work with both. :p   Fixes bug 1158.

(patch by coderman; commit message by nickm)
parent a89f51c9
......@@ -565,6 +565,18 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
SSL_CTX_set_options(result->ctx,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
#endif
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
/* Yes, we know what we are doing here. No, we do not treat a renegotiation
* as authenticating any earlier-received data.
*
* (OpenSSL 0.9.8l introdeced SSL3_FLAGS_ALLOW_UNSAGE_LEGACY_RENEGOTIATION
* here. OpenSSL 0.9.8m thoughtfully turned it into an option and (it
* seems) broke anything that used SSL3_FLAGS_* for the purpose. So we need
* to do both.)
*/
SSL_CTX_set_options(result->ctx,
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
#endif
/* Don't actually allow compression; it uses ram and time, but the data
* we transmit is all encrypted anyway. */
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment