Thanks for the comments folks. Scott - I haven't read around the attack a huge amount. Instead I've been simply tasked with ensuring a domain is hardened against the attack regardless. Interesting to hear it's considered principally a browser issue.
Joe - yes I am running your patches :-) thanks for incorporating my change into a workable patch so quickly! It's the first I've hand-coded the pound source. Coops. On 5 October 2012 17:12, Joe Gooch <mrwiz...@k12system.com> wrote: > Patch (plus 0.9.8 versions) added to my upstreamfixes/2.6f_sslrenegotiation > branch and stage_for_upstream/v2.7b branches on github. > > Commit here: > https://github.com/goochjj/pound/commit/a0c52c542ca9620a96750f9877b26bf4c84aef1b > Diff is here: > https://github.com/goochjj/pound/commit/a0c52c542ca9620a96750f9877b26bf4c84aef1b.diff > > Joe > >> -----Original Message----- >> From: Joe Gooch [mailto:mrwiz...@k12system.com] >> Sent: Friday, October 05, 2012 11:47 AM >> To: 'pound@apsis.ch' >> Subject: RE: [Pound Mailing List] Disabling SSL Compression (one line >> patch) >> >> Also, it appears that option only exists in OPENSSL 1.0 versions. So >> you'll probably need to surround it with an ifdef. >> >> Joe >> >> > -----Original Message----- >> > From: Joe Gooch >> > Sent: Friday, October 05, 2012 11:42 AM >> > To: 'pound@apsis.ch' >> > Subject: RE: [Pound Mailing List] Disabling SSL Compression (one line >> > patch) >> > >> > Looks to me like you already have my SSL patches applied (hence the >> > ssl_op_enable and ssl_op_disable references)... You probably need >> only >> > add it to ssl_op_enable at the top of that function. (i.e. SSL_OP_ALL >> > | >> > SSL_OP_NO_COMPRESSION) This will make sure the flag is set in SNI >> > config blocks as well. >> > >> > I'm not sure if it's appropriate to set for HTTPS backends as well. >> > (They're within our "trusted" network anyway... so network scanning >> > hopefully is more unlikely) but you'd want to catch those ctx >> options >> > as well. >> > >> > Joe >> > >> > > -----Original Message----- >> > > From: Hereward Cooper [mailto:co...@fawk.eu] >> > > Sent: Friday, October 05, 2012 10:40 AM >> > > To: pound@apsis.ch >> > > Subject: [Pound Mailing List] Disabling SSL Compression (one line >> > > patch) >> > > >> > > Hi pound folks, >> > > >> > > I've successfully disabled SSL compression in pound (a requirement >> > for >> > > a platform which needs to be hardened against the CRIME attack). >> > > >> > > I'd not seen any mention of this on the mailing lists so far, so I >> > > thought I'd mention how I did it (and ask for any comments for >> > > improvements on my method). >> > > >> > > This site[1] described the SSL_OP_NO_COMPRESSION option, which I've >> > > added to my pound's config.c file. >> > > >> > > Just for the record this is built against "OpenSSL 1.0.1c-fips" >> > > which I described putting into place on CentOS 6 here[2]. >> > > >> > > Any comments on my first pound patch? >> > > >> > > --- config.c.orig 2012-10-05 14:57:53.652702376 +0100 >> > > +++ config.c 2012-10-05 15:12:36.516952267 +0100 >> > > @@ -1136,6 +1136,7 @@ >> > > SSL_CTX_set_app_data(pc->ctx, res); >> > > SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY); >> > > SSL_CTX_set_options(pc->ctx, ssl_op_enable); >> > > + SSL_CTX_set_options(pc->ctx, >> > > + SSL_OP_NO_COMPRESSION); >> > > SSL_CTX_clear_options(pc->ctx, ssl_op_disable); >> > > sprintf(lin, "%d-Pound-%ld", getpid(), random()); >> > > SSL_CTX_set_session_id_context(pc->ctx, (unsigned >> > > char *)lin, strlen(lin)); >> > > >> > > >> > > [1] http://www.dest-unreach.org/socat/contrib/socat- >> > > opensslcompress.html >> > > [2] http://tech.fawk.eu/233/ >> > > >> > > -- >> > > Coops >> > > >> > > -- >> > > To unsubscribe send an email with subject unsubscribe to >> > > pound@apsis.ch. >> > > Please contact ro...@apsis.ch for questions. >> >> -- >> To unsubscribe send an email with subject unsubscribe to >> pound@apsis.ch. >> Please contact ro...@apsis.ch for questions. > > -- > To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. > Please contact ro...@apsis.ch for questions. -- Coops -- To unsubscribe send an email with subject unsubscribe to pound@apsis.ch. Please contact ro...@apsis.ch for questions.
