blob: 85c32c8cdb40aed17d75329c2908e41a13c6b831 (
plain) (
tree)
|
|
Subject: OpenSSL issues
Author: Cristian Rodriguez <crrodriguez@opensuse.org>
Origin: https://build.opensuse.org/request/show/141054
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2012-4929
Mon Nov 12 18:26:45 UTC 2012 - crrodriguez@opensuse.org
- Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients
that negotiate TLS-level compression can be abused for
MITM attacks. (w3m-openssl.patch)
- Use SSL_MODE_RELEASE_BUFFERS if available .
--- w3m.orig/url.c
+++ w3m/url.c
@@ -337,7 +337,15 @@ openSSLHandle(int sock, char *hostname,
if (strchr(ssl_forbid_method, 'T'))
option |= SSL_OP_NO_TLSv1;
}
+#ifdef SSL_OP_NO_COMPRESSION
+ option |= SSL_OP_NO_COMPRESSION;
+#endif
SSL_CTX_set_options(ssl_ctx, option);
+
+#ifdef SSL_MODE_RELEASE_BUFFERS
+ SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
+
#ifdef USE_SSL_VERIFY
/* derived from openssl-0.9.5/apps/s_{client,cb}.c */
#if 1 /* use SSL_get_verify_result() to verify cert */
|