resolves ticket 8443.
--- /dev/null
+ o Minor features:
+ - Randomize the lifetime of our SSL link certificate, so censors can't
+ use the static value for filtering Tor flows. Resolves ticket 8443;
+ related to ticket 4014 which was included in 0.2.2.33.
**ShutdownWaitLength** __NUM__::
When we get a SIGINT and we're a server, we begin shutting down:
we close listeners and start refusing new circuits. After **NUM**
- seconds, we exit. If we get a second SIGINT, we exit immedi-
- ately. (Default: 30 seconds)
+ seconds, we exit. If we get a second SIGINT, we exit immediately.
+ (Default: 30 seconds)
+
+**SSLKeyLifetime** __N__ **minutes**|**hours**|**days**|**weeks**::
+ When creating a link certificate for our outermost SSL handshake,
+ set its lifetime to this amount of time. If set to 0, Tor will choose
+ some reasonable random defaults. (Default: 0)
**HeartbeatPeriod** __N__ **minutes**|**hours**|**days**|**weeks**::
Log a heartbeat message every **HeartbeatPeriod** seconds. This is
V(SocksPolicy, LINELIST, NULL),
VPORT(SocksPort, LINELIST, NULL),
V(SocksTimeout, INTERVAL, "2 minutes"),
- V(SSLKeyLifetime, INTERVAL, "365 days"),
+ V(SSLKeyLifetime, INTERVAL, "0"),
OBSOLETE("StatusFetchPeriod"),
V(StrictNodes, BOOL, "0"),
OBSOLETE("SysLog"),
*/
int DisableV2DirectoryInfo_;
- /** What expiry time shall we place on our SSL certs? */
+ /** What expiry time shall we place on our SSL certs? "0" means we
+ * should guess a suitable value. */
int SSLKeyLifetime;
} or_options_t;
else if (!strcasecmp(options->TLSECGroup, "P224"))
flags |= TOR_TLS_CTX_USE_ECDHE_P224;
}
+ if (!lifetime) { /* we should guess a good ssl cert lifetime */
+ /* choose between 1 and 365 days */
+ lifetime = 1*24*3600 + crypto_rand_int(364*24*3600);
+ }
/* It's ok to pass lifetime in as an unsigned int, since
* config_parse_interval() checked it. */
projects / thirdparty / tor.git / commitdiff
