Merge remote branch 'origin/maint-0.2.1'

author Nick Mathewson <nickm@torproject.org>

Mon, 1 Feb 2010 03:53:19 +0000 (22:53 -0500)

committer Nick Mathewson <nickm@torproject.org>

Mon, 1 Feb 2010 03:53:19 +0000 (22:53 -0500)
author Nick Mathewson <nickm@torproject.org>
Mon, 1 Feb 2010 03:53:19 +0000 (22:53 -0500)
committer Nick Mathewson <nickm@torproject.org>
Mon, 1 Feb 2010 03:53:19 +0000 (22:53 -0500)
diff --cc src/common/tortls.c

index 344515b10263f44693ffb2cc886e16cf192f814a,f552f2162dc65fe15a0e057d2ae97d3f9e159194..cdd9f7ccbd797b934ba6bcf99f7c0a2f7ab06ab6
--- 1/src/common/tortls.c
--- 2/src/common/tortls.c
+++ b/src/common/tortls.c
@@@ -354,11 -330,35 +354,34 @@@ tor_tls_init(void
       long version;
       SSL_library_init();
       SSL_load_error_strings();
- -    crypto_global_init(-1);
   
       version = SSLeay();
-     if (version >= 0x009070c0L && version < 0x00908000L) {
-       log_notice(LD_GENERAL, "OpenSSL %s looks like version 0.9.7l or later; "
-                  "I will try SSL3_FLAGS and SSL3_OP to enable renegotation",
+ 
+     /* OpenSSL 0.9.8l introdeced SSL3_FLAGS_ALLOW_UNSAGE_LEGACY_RENEGOTIATION
+      * here, but without thinking too hard about it: it turns out that the
+      * flag in question needed to be set at the last minute, and that it
+      * conflicted with an existing flag number that had already been added
+      * in the OpenSSL 1.0.0 betas.  OpenSSL 0.9.8m thoughtfully replaced
+      * the flag with an option and (it seems) broke anything that used
+      * SSL3_FLAGS_* for the purpose.  So we need to know how to do both,
+      * and we mustn't use the SSL3_FLAGS option with anything besides
+      * OpenSSL 0.9.8l.
+      *
+      * No, we can't just set flag 0x0010 everywhere.  It breaks Tor with
+      * OpenSSL 1.0.0beta, since i.  No, we can't just set option
+      * 0x00040000L everywhere: before 0.9.8m, it meant something else.
+      *
+      * No, we can't simply detect whether the flag or the option is present
+      * in the headers at build-time: some vendors (notably Apple) like to
+      * leave their headers out of sync with their libraries.
+      *
+      * Yes, it _is_ almost as if the OpenSSL developers decided that no
+      * program should be allowed to use renegotiation its first passed an
+      * test of intelligence and determination.
+      */
+     if (version >= 0x009080c0L && version < 0x009080d0L) {
+       log_notice(LD_GENERAL, "OpenSSL %s looks like version 0.9.8l; "
+                  "I will try SSL3_FLAGS  to enable renegotation.",
                    SSLeay_version(SSLEAY_VERSION));
         use_unsafe_renegotiation_flag = 1;
         use_unsafe_renegotiation_op = 1;
@@@ -943,8 -937,9 +960,9 @@@ tor_tls_new(int sock, int isServer
       SSL_set_info_callback(result->ssl, tor_tls_server_info_callback);
     }
   #endif
+ 
     /* Not expected to get called. */
- -  tls_log_errors(NULL, LOG_WARN, "generating TLS context");
+ +  tls_log_errors(NULL, LOG_WARN, LD_NET, "generating TLS context");
     return result;
   }
author	Nick Mathewson <nickm@torproject.org>
	Mon, 1 Feb 2010 03:53:19 +0000 (22:53 -0500)
committer	Nick Mathewson <nickm@torproject.org>
	Mon, 1 Feb 2010 03:53:19 +0000 (22:53 -0500)