If the user has an openssl that supports my "release buffer ram" patch, use it.

svn:r14671

diff --git a/ChangeLog b/ChangeLog
index 50261119c57712b8909e14a19ded89cf86dbe3dc..7351711a2c577dd79bf83e29ca75f87c69491ab2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -91,6 +91,10 @@ Changes in version 0.2.1.1-alpha - 2008-??-??
       this new scheme when the server supports it.
     - Add a new V3AuthUseLegacyKey option to make it easier for authorities
       to change their identity keys if they have to.
+    - If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
+      patch to their OpenSSL, turn it on to save memory on servers.  This
+      patch will (with any luck) get included in a mainline distribution
+      before too long.
 
   o Minor features (security):
     - Reject requests for reverse-dns lookup of names in a private

diff --git a/src/common/tortls.c b/src/common/tortls.c
index 48a139394daf28c0622cf17cc477a5116f71f79a..b931176973a480bc6e6df738cf90ff7e236cf7cf 100644 (file)
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -564,6 +564,9 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 #endif
   SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+#ifdef SSL_MODE_RELEASE_BUFFERS
+  SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
   if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
     goto error;
   X509_free(cert); /* We just added a reference to cert. */