Hi Coops, Its a great option to enable as I'm sure we all know, browser updates can be a little on the slow side and even then some Company IT Policies don't allow patches/updates to be put into place until they have been tested and checked 20 times.
However, my understanding is that this is more of a Browser Issue than a server issue. Don't get me wrong if we can stop it from happening on our servers great but the problem still lies with the Browser developers and they need to address the problem that end. (Just my 2 pence worth, and I don't mean any offense.). Saying that I'll have a play with your patch and give it a good testing as like I said its a good option to have at our disposal. ~Yours, Scott On 5 October 2012 15:39, Hereward Cooper <co...@fawk.eu> wrote: > Hi pound folks, > > I've successfully disabled SSL compression in pound (a requirement for > a platform which needs to be hardened against the CRIME attack). > > I'd not seen any mention of this on the mailing lists so far, so I > thought I'd mention how I did it (and ask for any comments for > improvements on my method). > > This site[1] described the SSL_OP_NO_COMPRESSION option, which I've > added to my pound's config.c file. > > Just for the record this is built against "OpenSSL 1.0.1c-fips" which > I described putting into place on CentOS 6 here[2]. > > Any comments on my first pound patch? > > --- config.c.orig 2012-10-05 14:57:53.652702376 +0100 > +++ config.c 2012-10-05 15:12:36.516952267 +0100 > @@ -1136,6 +1136,7 @@ > SSL_CTX_set_app_data(pc->ctx, res); > SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY); > SSL_CTX_set_options(pc->ctx, ssl_op_enable); > + SSL_CTX_set_options(pc->ctx, SSL_OP_NO_COMPRESSION); > SSL_CTX_clear_options(pc->ctx, ssl_op_disable); > sprintf(lin, "%d-Pound-%ld", getpid(), random()); > SSL_CTX_set_session_id_context(pc->ctx, (unsigned > char *)lin, strlen(lin)); > > > [1] http://www.dest-unreach.org/socat/contrib/socat-opensslcompress.html > [2] http://tech.fawk.eu/233/ > > -- > Coops > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. > -- With Kind Regards. Scott McKeown Loadbalancer.org http://www.loadbalancer.org
