[or-cvs] r14830: Ouch. We were sometimes getting openssl compression by defau (in tor/trunk: . src/common)
nickm at seul.org
nickm at seul.org
Thu May 29 14:39:57 UTC 2008
Author: nickm
Date: 2008-05-29 10:39:56 -0400 (Thu, 29 May 2008)
New Revision: 14830
Modified:
tor/trunk/ChangeLog
tor/trunk/src/common/tortls.c
Log:
Ouch. We were sometimes getting openssl compression by default. This is pointless for us, since the overwhelming majority of our cells are encrypted, full of compressed data, or both. This is also harmful, since doing piles of compression is not cheap. Backport candidate once more tested.
Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog 2008-05-29 14:37:56 UTC (rev 14829)
+++ tor/trunk/ChangeLog 2008-05-29 14:39:56 UTC (rev 14830)
@@ -107,6 +107,9 @@
- New configure/torrc options (--enable-geoip-stats,
DirRecordUsageByCountry) to record how many IPs we've served directory
info to in each country code.
+ - Never use OpenSSL compression: it wastes RAM and CPU trying to
+ compress cells, which are basically all encrypted, compressed, or
+ both.
o Minor features (security):
- Reject requests for reverse-dns lookup of names in a private
Modified: tor/trunk/src/common/tortls.c
===================================================================
--- tor/trunk/src/common/tortls.c 2008-05-29 14:37:56 UTC (rev 14829)
+++ tor/trunk/src/common/tortls.c 2008-05-29 14:39:56 UTC (rev 14830)
@@ -564,6 +564,10 @@
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
#endif
SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
+ /* Don't actually allow compression; it uses ram and time, but the data
+ * we transmit is all encrypted anyway. */
+ if (result->ctx->comp_methods)
+ result->ctx->comp_methods = NULL;
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
More information about the tor-commits
mailing list