blob: 3180b6c6a2681055af40e7c8af939f77c9fd3951 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From: Taylor R Campbell
Subject: patch for Tor to workaround OpenSSL renegotiation lossage on 5.1
Cc: athaba (pkgsrc/net/tor maintainer)
Date: Fri, 30 Jul 2010 01:31:50 +0000
Here's a patch to make Tor work on NetBSD 5.1, which implemented
OpenSSL 0.9.8l's ABI-incompatible SSL3_FLAGS method for reenabling TLS
renegotiation. Tor already jumps through a number of hoops to guess
the right way to reenable renegotiation in OpenSSL, but it guesses
wrong for the version of OpenSSL that comes with NetBSD 5.1, which,
being 0.9.9-dev, looks newer than 0.9.8m.
I'm posting this here rather than on a Tor list because I don't think
it should be Tor's responsibility to work around back-ports and
forward-ports of broken OpenSSL features. What I'd really rather see
is OpenSSL 0.9.8m's ABI-compatible SSL_OP method for reenabling TLS[*]
put into NetBSD 5.1 (and SSL_OP_ALLOW_UNSAFE_RENEGOTIATION defined in
ssl.h) so that this patch would be unnecessary.
[2. text/plain; nbsd51-reneg]
--- ./src/common/tortls.c.~1~ 2010-05-02 22:02:50.000000000 +0000
+++ ./src/common/tortls.c 2010-07-30 00:34:00.000000000 +0000
@@ -356,6 +356,17 @@
* program should be allowed to use renegotiation its first passed an
* test of intelligence and determination.
*/
+#ifdef __NetBSD__
+ /* In NetBSD 5.1, OpenSSL 0.9.9-dev was imported and `fixed' to use
+ the same scheme as 0.9.8l. */
+ if (version == 0x00909000L) {
+ log_notice(LD_GENERAL, "OpenSSL %s on NetBSD looks like version 0.9.8l; "
+ "I will try SSL3_FLAGS to enable renegotation.",
+ SSLeay_version(SSLEAY_VERSION));
+ use_unsafe_renegotiation_flag = 1;
+ use_unsafe_renegotiation_op = 1;
+ } else
+#endif
if (version >= 0x009080c0L && version < 0x009080d0L) {
log_notice(LD_GENERAL, "OpenSSL %s looks like version 0.9.8l; "
"I will try SSL3_FLAGS to enable renegotation.",
|
