cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH] Disable SSL/TLS compression

From: Cristian Rodríguez <crrodriguez_at_opensuse.org>
Date: Mon, 12 Nov 2012 12:41:58 -0300

It either causes increased memory usage or exposes users
to the "CRIME attack" (CVE-2012-4929)

---
 lib/ssluse.c |    4 ++++
 1 file changed, 4 insertions(+)
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 7c4c926..92ae2e3 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1501,6 +1501,10 @@ ossl_connect_step1(struct connectdata *conn,
   ctx_options |= SSL_OP_NO_TICKET;
 #endif
 
+#ifdef SSL_OP_NO_COMPRESSION
+  ctx_options |= SSL_OP_NO_COMPRESSION;
+#endif
+
 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
   /* mitigate CVE-2010-4180 */
   ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
-- 
1.7.10.4
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2012-11-12

This message: [ Message body ]
Next message: Aldo Jose Spanghero Romao: "Increasing delay when calling 'curl_easy_perform'"
Previous message: Daniel Stenberg: "Re: Does libcurl supports LDAP connections over SOCKS proxy?"
Next in thread: Daniel Stenberg: "Re: [PATCH] Disable SSL/TLS compression"
Reply: Daniel Stenberg: "Re: [PATCH] Disable SSL/TLS compression"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]