On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller <abaci....@gmail.com> wrote: > i was going to do this: > > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); Yeah, it looks like that's the option. I would prefer to remove the code paths all together though.
If the code path does not exist, it cannot be executed. Jeff > On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton <noloa...@gmail.com> wrote: >> >> On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller <abaci....@gmail.com> >> wrote: >> > i compiled openssl with no-zlib >> > >> > ldd client >> > linux-vdso.so.1 => (0x00007fff059ff000) >> > libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007fefccdc9000) >> > libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 >> > (0x00007fefcca17000) >> > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fefcc7fa000) >> > libc.so.6 => /lib64/libc.so.6 (0x00007fefcc48d000) >> > libdl.so.2 => /lib64/libdl.so.2 (0x00007fefcc289000) >> > libz.so.1 => /lib64/libz.so.1 (0x00007fefcc071000) >> > /lib64/ld-linux-x86-64.so.2 (0x00007fefcd025000) >> > >> > it is still using the default libraries; when the client runs in this >> > environment, it suggests 2 compression methods in the handshake (NULL, >> > and >> > xxxx) >> > >> > then I change the LD_LIBRARY_PATH env and run again: >> > >> >> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib >> >> ldd client >> > linux-vdso.so.1 => (0x00007fff42cfa000) >> > libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 >> > (0x00007f76caf15000) >> > libcrypto.so.1.0.0 => >> > /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x00007f76cab34000) >> > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f76ca917000) >> > libc.so.6 => /lib64/libc.so.6 (0x00007f76ca5aa000) >> > libdl.so.2 => /lib64/libdl.so.2 (0x00007f76ca3a6000) >> > /lib64/ld-linux-x86-64.so.2 (0x00007f76cb17f000) >> > >> > and in this environment (note that libz is missing), the client only >> > suggests 1 compression method (NULL) in the handshake. >> > >> > So, compiling with no-zlib is not sufficient for turning off >> > compression. >> > It is also required to take specific actions to use the openssl >> > libraries >> > compiled with the no-zlib option at runtime. >> > >> > I expect that by using SSL_OP_NO_COMPRESSION, compression will >> > suppressed >> > regardless of the linkage of zlib, but I haven't tested that proposal >> > yet. >> This is bad news.... I believe the redefinition is because I built the >> FIPS Object Module first according to the Security Policy (give or >> take). That meant no knob turning whatsoever, and I had to invoke >> 'configure' with no arguments. >> >> Then, when it came time for FIPS Capable OpenSSL: >> >> ./config --openssldir=/usr/local/ssl/iphoneos/ >> --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib >> -no-shared -no-dso -DSSL_OP_NO_COMPRESSION >> >> which eventually results in: >> >> ... >> ../../util/domd ../.. -MD >> >> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc >> -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch >> armv7 -O3 -isysroot >> >> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk >> -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 >> -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS >> -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE >> -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 >> -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- srp_lib.c srp_vfy.c >> making depend in crypto/cmac... >> ../../util/domd ../.. -MD >> >> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc >> -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch >> armv7 -O3 -isysroot >> >> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk >> -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 >> -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS >> -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE >> -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 >> -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- cmac.c cm_ameth.c cm_pmeth.c >> making depend in ssl... >> In file included from ssl_locl.h:165, >> from s2_meth.c:59: >> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined >> <command-line>: error: this is the location of the previous definition >> In file included from ssl_locl.h:165, >> from s2_srvr.c:112: >> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined >> <command-line>: error: this is the location of the previous definition >> In file included from ssl_locl.h:165, >> from s2_clnt.c:112: >> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined >> <command-line>: error: this is the location of the previous definition >> In file included from ssl_locl.h:165, >> from s2_lib.c:112: >> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined >> <command-line>: error: this is the location of the previous definition >> ... >> [30 or 50 or so duplicate errors removed] >> ... >> >> <command-line>: error: this is the location of the previous definition >> make[1]: *** [depend] Error 1 >> make: *** [depend] Error 1 >> >> > On Tue, Dec 25, 2012 at 12:27 PM, Jeffrey Walton <noloa...@gmail.com> >> > wrote: >> >> >> >> Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or >> >> is compression available through other libraries? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
