[tor-commits] [tor/release-0.2.1] Generate our ssl session certs with a plausible lifetime

Mon Oct 24 06:28:40 UTC 2011

commit 62ec584a3014b9b9333dcc6feb4989d1592d6d26
Author: Roger Dingledine <arma at torproject.org>
Date:   Tue Sep 13 18:24:45 2011 -0400

    Generate our ssl session certs with a plausible lifetime
    
    Nobody but Tor uses certs on the wire with 2 hour lifetimes,
    and it makes us stand out. Resolves ticket 4014.
---
 changes/bug4014 |    3 +++
 src/or/main.c   |    8 +++++---
 src/or/or.h     |    4 +++-
 src/or/router.c |    6 ++++--
 4 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/changes/bug4014 b/changes/bug4014
new file mode 100644
index 0000000..9c20c6c
--- /dev/null
+++ b/changes/bug4014
@@ -0,0 +1,3 @@
+  o Minor features:
+    - Adjust the expiration time on our SSL session certificates to
+      better match SSL certs seen in the wild. Resolves ticket 4014.
diff --git a/src/or/main.c b/src/or/main.c
index e44fd49..3c879dc 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -866,12 +866,14 @@ run_scheduled_events(time_t now)
       now + DESCRIPTOR_FAILURE_RESET_INTERVAL;
   }
 
-  /** 1b. Every MAX_SSL_KEY_LIFETIME seconds, we change our TLS context. */
+  /** 1b. Every MAX_SSL_KEY_LIFETIME_INTERNAL seconds, we change our
+   * TLS context. */
   if (!last_rotated_x509_certificate)
     last_rotated_x509_certificate = now;
-  if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME < now) {
+  if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME_INTERNAL < now) {
     log_info(LD_GENERAL,"Rotating tls context.");
-    if (tor_tls_context_new(get_identity_key(), MAX_SSL_KEY_LIFETIME) < 0) {
+    if (tor_tls_context_new(get_identity_key(),
+                            MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
       log_warn(LD_BUG, "Error reinitializing TLS context");
       /* XXX is it a bug here, that we just keep going? -RD */
     }
diff --git a/src/or/or.h b/src/or/or.h
index 976ba9f..0f5b2bb 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -166,7 +166,9 @@
 /** How often do we rotate onion keys? */
 #define MIN_ONION_KEY_LIFETIME (7*24*60*60)
 /** How often do we rotate TLS contexts? */
-#define MAX_SSL_KEY_LIFETIME (2*60*60)
+#define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60)
+/** What expiry time shall we place on our SSL certs? */
+#define MAX_SSL_KEY_LIFETIME_ADVERTISED (365*24*60*60)
 
 /** How old do we allow a router to get before removing it
  * from the router list? In seconds. */
diff --git a/src/or/router.c b/src/or/router.c
index cc60041..2afde74 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -458,7 +458,8 @@ init_keys(void)
     }
     set_identity_key(prkey);
     /* Create a TLS context; default the client nickname to "client". */
-    if (tor_tls_context_new(get_identity_key(), MAX_SSL_KEY_LIFETIME) < 0) {
+    if (tor_tls_context_new(get_identity_key(),
+                            MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
       log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
       return -1;
     }
@@ -536,7 +537,8 @@ init_keys(void)
   tor_free(keydir);
 
   /* 3. Initialize link key and TLS context. */
-  if (tor_tls_context_new(get_identity_key(), MAX_SSL_KEY_LIFETIME) < 0) {
+  if (tor_tls_context_new(get_identity_key(),
+                          MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
     log_err(LD_GENERAL,"Error initializing TLS context");
     return -1;
   }



