You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@qpid.apache.org by kg...@apache.org on 2014/10/16 16:52:45 UTC

svn commit: r1632325 - /qpid/proton/trunk/proton-c/src/ssl/openssl.c

Author: kgiusti
Date: Thu Oct 16 14:52:44 2014
New Revision: 1632325

URL: http://svn.apache.org/r1632325
Log:
PROTON-717: mitigate the CRIME SSL vulnerability

Modified:
    qpid/proton/trunk/proton-c/src/ssl/openssl.c

Modified: qpid/proton/trunk/proton-c/src/ssl/openssl.c
URL: http://svn.apache.org/viewvc/qpid/proton/trunk/proton-c/src/ssl/openssl.c?rev=1632325&r1=1632324&r2=1632325&view=diff
==============================================================================
--- qpid/proton/trunk/proton-c/src/ssl/openssl.c (original)
+++ qpid/proton/trunk/proton-c/src/ssl/openssl.c Thu Oct 16 14:52:44 2014
@@ -481,6 +481,10 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_m
   }
   const long reject_insecure = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
   SSL_CTX_set_options(domain->ctx, reject_insecure);
+#ifdef SSL_OP_NO_COMPRESSION
+  // Mitigate the CRIME vulnerability
+  SSL_CTX_set_options(domain->ctx, SSL_OP_NO_COMPRESSION);
+#endif
 
   // by default, allow anonymous ciphers so certificates are not required 'out of the box'
   if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_ANONYMOUS )) {



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org