Use SSL_OP_NO_COMPRESSION if available

Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients that negotiate TLS-level compression can be abused for MITM attacks. Patch from openSUSE on 2012-11-12: https://build.opensuse.org/request/show/141054
2013-11-07 23:29:54 +09:00
parent dbd52ac2ca
commit 095195f629
1 changed files with 3 additions and 0 deletions
--- a/url.c
+++ b/url.c
@@ -337,6 +337,9 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
 	    if (strchr(ssl_forbid_method, 'T'))
 		option |= SSL_OP_NO_TLSv1;
 	}
+#ifdef SSL_OP_NO_COMPRESSION
+	option |= SSL_OP_NO_COMPRESSION;
+#endif
 	SSL_CTX_set_options(ssl_ctx, option);
 #ifdef USE_SSL_VERIFY
 	/* derived from openssl-0.9.5/apps/s_{client,cb}.c */