Use SSL_OP_NO_COMPRESSION if available

Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients that negotiate TLS-level compression can be abused for MITM attacks. Patch from openSUSE on 2012-11-12: https://build.opensuse.org/request/show/141054
author: Cristian Rodriguez <crrodriguez@opensuse.org> 2013-11-07 14:29:54 +0000
committer: Tatsuya Kinoshita <tats@debian.org> 2013-11-07 14:29:54 +0000
commit: 095195f62944b7558ec70a1cd2a59570cddb1dc2 (patch)
tree: 26d678c8d02014f89cb0b768a0c82e485293618a
parent: Merge from upstream on 2012-05-22 (diff)
download: w3m-095195f62944b7558ec70a1cd2a59570cddb1dc2.tar.gz
w3m-095195f62944b7558ec70a1cd2a59570cddb1dc2.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/url.c b/url.c
index ed6062e..e450d6c 100644
--- a/url.c
+++ b/url.c
@@ -337,6 +337,9 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
 	    if (strchr(ssl_forbid_method, 'T'))
 		option |= SSL_OP_NO_TLSv1;
 	}
+#ifdef SSL_OP_NO_COMPRESSION
+	option |= SSL_OP_NO_COMPRESSION;
+#endif
 	SSL_CTX_set_options(ssl_ctx, option);
 #ifdef USE_SSL_VERIFY
 	/* derived from openssl-0.9.5/apps/s_{client,cb}.c */
author	Cristian Rodriguez <crrodriguez@opensuse.org>	2013-11-07 14:29:54 +0000
committer	Tatsuya Kinoshita <tats@debian.org>	2013-11-07 14:29:54 +0000
commit	095195f62944b7558ec70a1cd2a59570cddb1dc2 (patch)
tree	26d678c8d02014f89cb0b768a0c82e485293618a
parent	Merge from upstream on 2012-05-22 (diff)
download	w3m-095195f62944b7558ec70a1cd2a59570cddb1dc2.tar.gz w3m-095195f62944b7558ec70a1cd2a59570cddb1dc2.zip