r16882@tombo: nickm | 2008-07-10 14:31:25 -0400

 Fix for session-related bug found by Geoff Goodell. backport candidate, once tested.

svn:r15821

diff --git a/ChangeLog b/ChangeLog
index 2184ef4010b45fa29057c8640e1f71afe7d96af0..9d6eb6c2fe4abf8274787b1c5f2b21e065128f7f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -56,6 +56,11 @@ Changes in version 0.2.0.29-rc - 2008-07-08
     - Correctly detect transparent proxy support on Linux hosts that
       require in.h to be included before netfilter_ipv4.h.  Patch
       from coderman.
+    - Disallow session resumption attempts during the renegotiation
+      stage of the v2 handshake protocol.  Clients should never be
+      trying session resumption at this point, but apparently some
+      did, in ways that caused the handshake to fail.  Bugfix on
+      0.2.0.20-rc.  Bug found by Geoff Goodell.
 
 
 Changes in version 0.2.1.2-alpha - 2008-06-20

diff --git a/src/common/tortls.c b/src/common/tortls.c
index 46b2a11e2b5570855771ea9a4c350171c92034b9..d2751d1653e787248c000aff4be5b47298adb6f5 100644 (file)
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -564,6 +564,11 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 #endif
   SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+  
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+  SSL_CTX_set_options(result->ctx,
+                      SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
   /* Don't actually allow compression; it uses ram and time, but the data
    * we transmit is all encrypted anyway. */
   if (result->ctx->comp_methods)