You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kg...@apache.org on 2014/10/16 16:52:45 UTC
svn commit: r1632325 - /qpid/proton/trunk/proton-c/src/ssl/openssl.c
Author: kgiusti
Date: Thu Oct 16 14:52:44 2014
New Revision: 1632325
URL: http://svn.apache.org/r1632325
Log:
PROTON-717: mitigate the CRIME SSL vulnerability
Modified:
qpid/proton/trunk/proton-c/src/ssl/openssl.c
Modified: qpid/proton/trunk/proton-c/src/ssl/openssl.c
URL: http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/src/ssl/openssl.c?rev=1632325&r1=1632324&r2=1632325&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/src/ssl/openssl.c (original)
+++ qpid/proton/trunk/proton-c/src/ssl/openssl.c Thu Oct 16 14:52:44 2014
@@ -481,6 +481,10 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_m
}
const long reject_insecure = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
SSL_CTX_set_options(domain->ctx, reject_insecure);
+#ifdef SSL_OP_NO_COMPRESSION
+ // Mitigate the CRIME vulnerability
+ SSL_CTX_set_options(domain->ctx, SSL_OP_NO_COMPRESSION);
+#endif
// by default, allow anonymous ciphers so certificates are not required 'out of the box'
if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_ANONYMOUS )) {
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org