From 095195f62944b7558ec70a1cd2a59570cddb1dc2 Mon Sep 17 00:00:00 2001
From: Cristian Rodriguez <crrodriguez@opensuse.org>
Date: Thu, 7 Nov 2013 23:29:54 +0900
Subject: Use SSL_OP_NO_COMPRESSION if available

Due to the "CRIME attack" (CVE-2012-4929) HTTPS clients
that negotiate TLS-level compression can be abused for
MITM attacks.

Patch from openSUSE on 2012-11-12:
https://build.opensuse.org/request/show/141054
---
 url.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'url.c')

diff --git a/url.c b/url.c
index ed6062e..e450d6c 100644
--- a/url.c
+++ b/url.c
@@ -337,6 +337,9 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
 	    if (strchr(ssl_forbid_method, 'T'))
 		option |= SSL_OP_NO_TLSv1;
 	}
+#ifdef SSL_OP_NO_COMPRESSION
+	option |= SSL_OP_NO_COMPRESSION;
+#endif
 	SSL_CTX_set_options(ssl_ctx, option);
 #ifdef USE_SSL_VERIFY
 	/* derived from openssl-0.9.5/apps/s_{client,cb}.c */
-- 
cgit v1.2.3


From e3e5821562e4e14ebc519f419de2520811398ee5 Mon Sep 17 00:00:00 2001
From: Cristian Rodriguez <crrodriguez@opensuse.org>
Date: Thu, 7 Nov 2013 23:32:59 +0900
Subject: Use SSL_MODE_RELEASE_BUFFERS if available

Patch from openSUSE on 2012-11-12:
https://build.opensuse.org/request/show/141054
---
 url.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'url.c')

diff --git a/url.c b/url.c
index e450d6c..5b23460 100644
--- a/url.c
+++ b/url.c
@@ -341,6 +341,11 @@ openSSLHandle(int sock, char *hostname, char **p_cert)
 	option |= SSL_OP_NO_COMPRESSION;
 #endif
 	SSL_CTX_set_options(ssl_ctx, option);
+
+#ifdef SSL_MODE_RELEASE_BUFFERS
+	SSL_CTX_set_mode (ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
+
 #ifdef USE_SSL_VERIFY
 	/* derived from openssl-0.9.5/apps/s_{client,cb}.c */
 #if 1				/* use SSL_get_verify_result() to verify cert */
-- 
cgit v1.2.3