From 095195f62944b7558ec70a1cd2a59570cddb1dc2 Mon Sep 17 00:00:00 2001 From: Cristian Rodriguez Date: Thu, 7 Nov 2013 23:29:54 +0900 Subject: Use SSL_OP_NO_COMPRESSION if available Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients that negotiate TLS-level compression can be abused for MITM attacks. Patch from openSUSE on 2012-11-12: https://build.opensuse.org/request/show/141054 --- url.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'url.c') diff --git a/url.c b/url.c index ed6062e..e450d6c 100644 --- a/url.c +++ b/url.c @@ -337,6 +337,9 @@ openSSLHandle(int sock, char *hostname, char **p_cert) if (strchr(ssl_forbid_method, 'T')) option |= SSL_OP_NO_TLSv1; } +#ifdef SSL_OP_NO_COMPRESSION + option |= SSL_OP_NO_COMPRESSION; +#endif SSL_CTX_set_options(ssl_ctx, option); #ifdef USE_SSL_VERIFY /* derived from openssl-0.9.5/apps/s_{client,cb}.c */ -- cgit v1.2.3