Patch (plus 0.9.8 versions) added to my upstreamfixes/2.6f_sslrenegotiation branch and stage_for_upstream/v2.7b branches on github.
Commit here: https://github.com/goochjj/pound/commit/a0c52c542ca9620a96750f9877b26bf4c84aef1b Diff is here: https://github.com/goochjj/pound/commit/a0c52c542ca9620a96750f9877b26bf4c84aef1b.diff Joe > -----Original Message----- > From: Joe Gooch [mailto:mrwiz...@k12system.com] > Sent: Friday, October 05, 2012 11:47 AM > To: 'pound@apsis.ch' > Subject: RE: [Pound Mailing List] Disabling SSL Compression (one line > patch) > > Also, it appears that option only exists in OPENSSL 1.0 versions. So > you'll probably need to surround it with an ifdef. > > Joe > > > -----Original Message----- > > From: Joe Gooch > > Sent: Friday, October 05, 2012 11:42 AM > > To: 'pound@apsis.ch' > > Subject: RE: [Pound Mailing List] Disabling SSL Compression (one line > > patch) > > > > Looks to me like you already have my SSL patches applied (hence the > > ssl_op_enable and ssl_op_disable references)... You probably need > only > > add it to ssl_op_enable at the top of that function. (i.e. SSL_OP_ALL > > | > > SSL_OP_NO_COMPRESSION) This will make sure the flag is set in SNI > > config blocks as well. > > > > I'm not sure if it's appropriate to set for HTTPS backends as well. > > (They're within our "trusted" network anyway... so network scanning > > hopefully is more unlikely) but you'd want to catch those ctx > options > > as well. > > > > Joe > > > > > -----Original Message----- > > > From: Hereward Cooper [mailto:co...@fawk.eu] > > > Sent: Friday, October 05, 2012 10:40 AM > > > To: pound@apsis.ch > > > Subject: [Pound Mailing List] Disabling SSL Compression (one line > > > patch) > > > > > > Hi pound folks, > > > > > > I've successfully disabled SSL compression in pound (a requirement > > for > > > a platform which needs to be hardened against the CRIME attack). > > > > > > I'd not seen any mention of this on the mailing lists so far, so I > > > thought I'd mention how I did it (and ask for any comments for > > > improvements on my method). > > > > > > This site[1] described the SSL_OP_NO_COMPRESSION option, which I've > > > added to my pound's config.c file. > > > > > > Just for the record this is built against "OpenSSL 1.0.1c-fips" > > > which I described putting into place on CentOS 6 here[2]. > > > > > > Any comments on my first pound patch? > > > > > > --- config.c.orig 2012-10-05 14:57:53.652702376 +0100 > > > +++ config.c 2012-10-05 15:12:36.516952267 +0100 > > > @@ -1136,6 +1136,7 @@ > > > SSL_CTX_set_app_data(pc->ctx, res); > > > SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY); > > > SSL_CTX_set_options(pc->ctx, ssl_op_enable); > > > + SSL_CTX_set_options(pc->ctx, > > > + SSL_OP_NO_COMPRESSION); > > > SSL_CTX_clear_options(pc->ctx, ssl_op_disable); > > > sprintf(lin, "%d-Pound-%ld", getpid(), random()); > > > SSL_CTX_set_session_id_context(pc->ctx, (unsigned > > > char *)lin, strlen(lin)); > > > > > > > > > [1] http://www.dest-unreach.org/socat/contrib/socat- > > > opensslcompress.html > > > [2] http://tech.fawk.eu/233/ > > > > > > -- > > > Coops > > > > > > -- > > > To unsubscribe send an email with subject unsubscribe to > > > pound@apsis.ch. > > > Please contact ro...@apsis.ch for questions. > > -- > To unsubscribe send an email with subject unsubscribe to > pound@apsis.ch. > Please contact ro...@apsis.ch for questions. -- To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. Please contact ro...@apsis.ch for questions.
