aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCristian Rodriguez <crrodriguez@opensuse.org>2013-11-07 14:29:54 +0000
committerTatsuya Kinoshita <tats@debian.org>2013-11-07 14:29:54 +0000
commit095195f62944b7558ec70a1cd2a59570cddb1dc2 (patch)
tree26d678c8d02014f89cb0b768a0c82e485293618a
parentMerge from upstream on 2012-05-22 (diff)
downloadw3m-095195f62944b7558ec70a1cd2a59570cddb1dc2.tar.gz
w3m-095195f62944b7558ec70a1cd2a59570cddb1dc2.zip
Use SSL_OP_NO_COMPRESSION if available
Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients that negotiate TLS-level compression can be abused for MITM attacks. Patch from openSUSE on 2012-11-12: https://build.opensuse.org/request/show/141054
-rw-r--r--url.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/url.c b/url.c
index ed6062e..e450d6c 100644
--- a/url.c
+++ b/url.c
@@ -337,6 +337,9 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
if (strchr(ssl_forbid_method, 'T'))
option |= SSL_OP_NO_TLSv1;
}
+#ifdef SSL_OP_NO_COMPRESSION
+ option |= SSL_OP_NO_COMPRESSION;
+#endif
SSL_CTX_set_options(ssl_ctx, option);
#ifdef USE_SSL_VERIFY
/* derived from openssl-0.9.5/apps/s_{client,cb}.c */