From bb424e4447a5b1e2f9592eed52f869426933f2c8 Mon Sep 17 00:00:00 2001 From: Pieter Wuille Date: Fri, 21 Nov 2014 12:22:11 +0100 Subject: [PATCH 1/2] Limit the number of new addressses to accumulate Rebased-From: 12a49cac0a561ada277e93549cae26a3123a6023 --- src/net.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/net.h b/src/net.h index cb07156bd..5c6dc3745 100644 --- a/src/net.h +++ b/src/net.h @@ -40,6 +40,8 @@ namespace boost { static const unsigned int MAX_INV_SZ = 50000; /** The maximum number of entries in mapAskFor */ static const size_t MAPASKFOR_MAX_SZ = MAX_INV_SZ; +/** The maximum number of new addresses to accumulate before announcing. */ +static const unsigned int MAX_ADDR_TO_SEND = 1000; inline unsigned int ReceiveFloodSize() { return 1000*GetArg("-maxreceivebuffer", 5*1000); } inline unsigned int SendBufferSize() { return 1000*GetArg("-maxsendbuffer", 1*1000); } @@ -400,8 +402,13 @@ public: // Known checking here is only to save space from duplicates. // SendMessages will filter it again for knowns that were added // after addresses were pushed. - if (addr.IsValid() && !setAddrKnown.count(addr)) - vAddrToSend.push_back(addr); + if (addr.IsValid() && !setAddrKnown.count(addr)) { + if (vAddrToSend.size() >= MAX_ADDR_TO_SEND) { + vAddrToSend[insecure_rand() % vAddrToSend.size()] = addr; + } else { + vAddrToSend.push_back(addr); + } + } } From 0a94661e8db94e84ecbf1ea45a51fb3c7fb77283 Mon Sep 17 00:00:00 2001 From: Gregory Maxwell Date: Sat, 6 Dec 2014 07:08:02 -0800 Subject: [PATCH 2/2] Disable SSLv3 (in favor of TLS) for the RPC client and server. TLS is subject to downgrade attacks when SSLv3 is available, and SSLv3 has vulnerabilities. The popular solution is to disable SSLv3. On the web this breaks some tiny number of very old clients. While Bitcoin RPC shouldn't be exposed to the open Internet, it also shouldn't be exposed to really old SSL implementations, so it shouldn't be a major issue for us to disable SSLv3. There is more information on the downgrade attacks and disabling SSLv3 at https://disablessl3.com/ . Rebased-From: 683dc4009b2b01699e672f8150c28e2ebe0aae19 --- src/rpcclient.cpp | 2 +- src/rpcserver.cpp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rpcclient.cpp b/src/rpcclient.cpp index 4f3c39ce9..5e62b7130 100644 --- a/src/rpcclient.cpp +++ b/src/rpcclient.cpp @@ -40,7 +40,7 @@ Object CallRPC(const string& strMethod, const Array& params) bool fUseSSL = GetBoolArg("-rpcssl", false); asio::io_service io_service; ssl::context context(io_service, ssl::context::sslv23); - context.set_options(ssl::context::no_sslv2); + context.set_options(ssl::context::no_sslv2 | ssl::context::no_sslv3); asio::ssl::stream sslStream(io_service, context); SSLIOStreamDevice d(sslStream, fUseSSL); iostreams::stream< SSLIOStreamDevice > stream(d); diff --git a/src/rpcserver.cpp b/src/rpcserver.cpp index f43acf41b..cc9e3307d 100644 --- a/src/rpcserver.cpp +++ b/src/rpcserver.cpp @@ -539,7 +539,7 @@ void StartRPCThreads() if (fUseSSL) { - rpc_ssl_context->set_options(ssl::context::no_sslv2); + rpc_ssl_context->set_options(ssl::context::no_sslv2 | ssl::context::no_sslv3); filesystem::path pathCertFile(GetArg("-rpcsslcertificatechainfile", "server.cert")); if (!pathCertFile.is_complete()) pathCertFile = filesystem::path(GetDataDir()) / pathCertFile;