PROTON-717: mitigate the CRIME SSL vulnerability git-svn-id: https://svn.apache.org/repos/asf/qpid/proton/trunk@1632325 13f79535-47bb-0310-9956-ffa450edef68
Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/423dbc5d Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/423dbc5d Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/423dbc5d Branch: refs/heads/examples Commit: 423dbc5d3db9c48f830b689abce44ce0348608cb Parents: 8f334e5 Author: Ken Giusti <[email protected]> Authored: Thu Oct 16 14:52:44 2014 +0000 Committer: Ken Giusti <[email protected]> Committed: Thu Oct 16 14:52:44 2014 +0000 ---------------------------------------------------------------------- proton-c/src/ssl/openssl.c | 4 ++++ 1 file changed, 4 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/423dbc5d/proton-c/src/ssl/openssl.c ---------------------------------------------------------------------- diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c index 7c71eef..c9536e2 100644 --- a/proton-c/src/ssl/openssl.c +++ b/proton-c/src/ssl/openssl.c @@ -481,6 +481,10 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_mode_t mode ) } const long reject_insecure = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; SSL_CTX_set_options(domain->ctx, reject_insecure); +#ifdef SSL_OP_NO_COMPRESSION + // Mitigate the CRIME vulnerability + SSL_CTX_set_options(domain->ctx, SSL_OP_NO_COMPRESSION); +#endif // by default, allow anonymous ciphers so certificates are not required 'out of the box' if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_ANONYMOUS )) { --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
