Change "warn if unverified routers are very skewed" to "never warn about unverified...

svn:r2885

diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index ca3edd536af4c715de35e6406f0799f8aa6e2768..d96db8d0d28a9caf6b3d70c7fdb085a572e888ac 100644 (file)
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -15,9 +15,6 @@
 /** How much clock skew do we tolerate when checking certificates for
  * known routers? (sec) */
 #define TIGHT_CERT_ALLOW_SKEW (90*60)
-/** How much clock skew do we tolerate when checking certificates for
- * unknown routers/clients? (sec) */
-#define LOOSE_CERT_ALLOW_SKEW (24*60*60)
 
 static int connection_tls_finish_handshake(connection_t *conn);
 static int connection_or_process_cells_from_inbuf(connection_t *conn);
@@ -369,11 +366,13 @@ connection_tls_finish_handshake(connection_t *conn) {
            nickname, conn->address, conn->port);
     return -1;
   }
+#if 0
   if(tor_tls_check_lifetime(conn->tls, LOOSE_CERT_ALLOW_SKEW)<0) {
-    log_fn(LOG_WARN,"Other side '%s' (%s:%d) has a very highly skewed clock, or an expired certificate. Closing.",
+    log_fn(LOG_WARN,"Other side '%s' (%s:%d) has a very highly skewed clock, or an expired certificate.  Closing.",
            nickname, conn->address, conn->port);
     return -1;
   }
+#endif
   log_fn(LOG_DEBUG,"The router's cert is valid.");
   crypto_pk_get_digest(identity_rcvd, digest_rcvd);
 
@@ -394,7 +393,7 @@ connection_tls_finish_handshake(connection_t *conn) {
   if (router_get_by_digest(digest_rcvd)) {
     /* This is a known router; don't cut it slack with its clock skew. */
     if(tor_tls_check_lifetime(conn->tls, TIGHT_CERT_ALLOW_SKEW)<0) {
-      log_fn(LOG_WARN,"Router '%s' (%s:%d) has a skewed clock, or an expired certificate. Closing.",
+      log_fn(LOG_WARN,"Router '%s' (%s:%d) has a skewed clock, or an expired certificate; or else our clock is skewed. Closing.",
              nickname, conn->address, conn->port);
       return -1;
     }