[ssl] disable SSL/TLS compression As for the best recommended practices for SSL/TLS deployment, disable compression even if it's supported the both connection peers.
https://tools.ietf.org/html/rfc7525#section-3.3 Also, disabling SSL/TLS compression frees CPU resources. Change-Id: Ib470d1c00abb5a4bdf4650fc3ed19b6d588ea78f Reviewed-on: http://gerrit.cloudera.org:8080/4962 Tested-by: Kudu Jenkins Reviewed-by: Dan Burkert <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/kudu/repo Commit: http://git-wip-us.apache.org/repos/asf/kudu/commit/ae07d0dc Tree: http://git-wip-us.apache.org/repos/asf/kudu/tree/ae07d0dc Diff: http://git-wip-us.apache.org/repos/asf/kudu/diff/ae07d0dc Branch: refs/heads/master Commit: ae07d0dc4ebecdfd60f72d37f83eae02652f0eee Parents: fd34f45 Author: Alexey Serbin <[email protected]> Authored: Fri Nov 4 16:30:37 2016 -0700 Committer: Alexey Serbin <[email protected]> Committed: Mon Nov 7 23:40:44 2016 +0000 ---------------------------------------------------------------------- src/kudu/util/net/ssl_factory.cc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kudu/blob/ae07d0dc/src/kudu/util/net/ssl_factory.cc ---------------------------------------------------------------------- diff --git a/src/kudu/util/net/ssl_factory.cc b/src/kudu/util/net/ssl_factory.cc index 8751d77..4fefb45 100644 --- a/src/kudu/util/net/ssl_factory.cc +++ b/src/kudu/util/net/ssl_factory.cc @@ -89,7 +89,13 @@ Status SSLFactory::Init() { // Disable SSLv2 and SSLv3 which are vulnerable to various issues such as POODLE. // We support versions back to TLSv1.0 since OpenSSL on RHEL 6.4 and earlier does not // not support TLSv1.1 or later. - SSL_CTX_set_options(ctx_.get(), SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + // + // Disable SSL/TLS compression to free up CPU resources and be less prone + // to attacks exploiting the compression feature: + // https://tools.ietf.org/html/rfc7525#section-3.3 + SSL_CTX_set_options(ctx_.get(), + SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_NO_COMPRESSION); SSL_CTX_set_verify(ctx_.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE, nullptr); return Status::OK();
