diff options
author | Cristian Rodriguez <crrodriguez@opensuse.org> | 2013-11-07 14:29:54 +0000 |
---|---|---|
committer | Tatsuya Kinoshita <tats@debian.org> | 2013-11-07 14:29:54 +0000 |
commit | 095195f62944b7558ec70a1cd2a59570cddb1dc2 (patch) | |
tree | 26d678c8d02014f89cb0b768a0c82e485293618a | |
parent | Merge from upstream on 2012-05-22 (diff) | |
download | w3m-095195f62944b7558ec70a1cd2a59570cddb1dc2.tar.gz w3m-095195f62944b7558ec70a1cd2a59570cddb1dc2.zip |
Use SSL_OP_NO_COMPRESSION if available
Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients
that negotiate TLS-level compression can be abused for
MITM attacks.
Patch from openSUSE on 2012-11-12:
https://build.opensuse.org/request/show/141054
-rw-r--r-- | url.c | 3 |
1 files changed, 3 insertions, 0 deletions
@@ -337,6 +337,9 @@ openSSLHandle(int sock, char *hostname, char **p_cert) if (strchr(ssl_forbid_method, 'T')) option |= SSL_OP_NO_TLSv1; } +#ifdef SSL_OP_NO_COMPRESSION + option |= SSL_OP_NO_COMPRESSION; +#endif SSL_CTX_set_options(ssl_ctx, option); #ifdef USE_SSL_VERIFY /* derived from openssl-0.9.5/apps/s_{client,cb}.c */ |