SSL handshake filtered when MAX_SSL_KEY_LIFETIME_ADVERTISED is 365 days
|Reported by:||arma||Owned by:|
|Cc:||cda, phw||Actual Points:|
I spent some time this afternoon with cda, doing Tor handshakes from inside Iran. The handshake completed, but then the TCP connection got cut, when the SSL cert had a lifetime of 365 days.
When I changed the 365 to 65 in or.h, on the bridge, the TCP connection survived.
(But that wasn't sufficient, since for some reason the directory request wasn't getting through, or the response wasn't getting through.)
In any case, we should take steps to randomize our SSL link cert lifetime.
This is the follow-on ticket to #4014 (which we knew we'd need to do one day, and this is the day).