storm/w3m
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use SSL_OP_NO_COMPRESSION if available

Browse Source 
Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients
that negotiate TLS-level compression can be abused for
MITM attacks.

Patch from openSUSE on 2012-11-12:
https://build.opensuse.org/request/show/141054
This commit is contained in:
Cristian Rodriguez
2013-11-07 23:29:54 +09:00
committed by Tatsuya Kinoshita
parent dbd52ac2ca
commit 095195f629
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
url.c
View File

@@ -337,6 +337,9 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
if (strchr(ssl_forbid_method, 'T')) if (strchr(ssl_forbid_method, 'T'))
option |= SSL_OP_NO_TLSv1; option |= SSL_OP_NO_TLSv1;
} }
#ifdef SSL_OP_NO_COMPRESSION
option |= SSL_OP_NO_COMPRESSION;
#endif
SSL_CTX_set_options(ssl_ctx, option); SSL_CTX_set_options(ssl_ctx, option);
#ifdef USE_SSL_VERIFY #ifdef USE_SSL_VERIFY
/* derived from openssl-0.9.5/apps/s_{client,cb}.c */ /* derived from openssl-0.9.5/apps/s_{client,cb}.c */