From: Nick Mathewson Date: Fri, 27 Apr 2012 16:13:56 +0000 (-0400) Subject: Only disable cert chaining on the first TLS handshake X-Git-Tag: tor-0.2.3.16-alpha~85^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f0212197cccf461e431d6807a94ea0fdc411e179;p=thirdparty%2Ftor.git Only disable cert chaining on the first TLS handshake If the client uses a v2 cipherlist on the renegotiation handshake, it looks as if they could fail to get a good cert chain from the server, since they server would re-disable certificate chaining. This patch makes it so the code that make the server side of the first v2 handshake special can get called only once. Fix for 4591; bugfix on 0.2.0.20-rc. --- diff --git a/changes/bug4591 b/changes/bug4591 new file mode 100644 index 0000000000..59b25a5252 --- /dev/null +++ b/changes/bug4591 @@ -0,0 +1,6 @@ + o Minor bugfixes: + - If the client fails to set a reasonable set of ciphersuites + during its v2 handshake renegotiation, allow the renegotiation + to continue nevertheless (i.e., send all the required + certificates). Fix for bug 4591; bugfix on 0.2.0.20-rc. + diff --git a/src/common/tortls.c b/src/common/tortls.c index 4c9d2188d4..abdd411dfb 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -965,7 +965,9 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val) /* Now check the cipher list. */ if (tor_tls_client_is_using_v2_ciphers(ssl, ADDR(tls))) { - /*XXXX_TLS keep this from happening more than once! */ + if (tls->wasV2Handshake) + return; /* We already turned this stuff off for the first handshake; + * This is a renegotiation. */ /* Yes, we're casting away the const from ssl. This is very naughty of us. * Let's hope openssl doesn't notice! */