i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);
On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller <abaci....@gmail.com> > wrote: > > i compiled openssl with no-zlib > > > > ldd client > > linux-vdso.so.1 => (0x00007fff059ff000) > > libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007fefccdc9000) > > libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 > (0x00007fefcca17000) > > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fefcc7fa000) > > libc.so.6 => /lib64/libc.so.6 (0x00007fefcc48d000) > > libdl.so.2 => /lib64/libdl.so.2 (0x00007fefcc289000) > > libz.so.1 => /lib64/libz.so.1 (0x00007fefcc071000) > > /lib64/ld-linux-x86-64.so.2 (0x00007fefcd025000) > > > > it is still using the default libraries; when the client runs in this > > environment, it suggests 2 compression methods in the handshake (NULL, > and > > xxxx) > > > > then I change the LD_LIBRARY_PATH env and run again: > > > >> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib > >> ldd client > > linux-vdso.so.1 => (0x00007fff42cfa000) > > libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 > > (0x00007f76caf15000) > > libcrypto.so.1.0.0 => > > /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x00007f76cab34000) > > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f76ca917000) > > libc.so.6 => /lib64/libc.so.6 (0x00007f76ca5aa000) > > libdl.so.2 => /lib64/libdl.so.2 (0x00007f76ca3a6000) > > /lib64/ld-linux-x86-64.so.2 (0x00007f76cb17f000) > > > > and in this environment (note that libz is missing), the client only > > suggests 1 compression method (NULL) in the handshake. > > > > So, compiling with no-zlib is not sufficient for turning off compression. > > It is also required to take specific actions to use the openssl libraries > > compiled with the no-zlib option at runtime. > > > > I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed > > regardless of the linkage of zlib, but I haven't tested that proposal > yet. > This is bad news.... I believe the redefinition is because I built the > FIPS Object Module first according to the Security Policy (give or > take). That meant no knob turning whatsoever, and I had to invoke > 'configure' with no arguments. > > Then, when it came time for FIPS Capable OpenSSL: > > ./config --openssldir=/usr/local/ssl/iphoneos/ > --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib > -no-shared -no-dso -DSSL_OP_NO_COMPRESSION > > which eventually results in: > > ... > ../../util/domd ../.. -MD > > /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc > -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch > armv7 -O3 -isysroot > > /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk > -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 > -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS > -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE > -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 > -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- srp_lib.c srp_vfy.c > making depend in crypto/cmac... > ../../util/domd ../.. -MD > > /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc > -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch > armv7 -O3 -isysroot > > /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk > -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 > -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS > -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE > -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 > -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- cmac.c cm_ameth.c cm_pmeth.c > making depend in ssl... > In file included from ssl_locl.h:165, > from s2_meth.c:59: > ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined > <command-line>: error: this is the location of the previous definition > In file included from ssl_locl.h:165, > from s2_srvr.c:112: > ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined > <command-line>: error: this is the location of the previous definition > In file included from ssl_locl.h:165, > from s2_clnt.c:112: > ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined > <command-line>: error: this is the location of the previous definition > In file included from ssl_locl.h:165, > from s2_lib.c:112: > ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined > <command-line>: error: this is the location of the previous definition > ... > [30 or 50 or so duplicate errors removed] > ... > > <command-line>: error: this is the location of the previous definition > make[1]: *** [depend] Error 1 > make: *** [depend] Error 1 > > > On Tue, Dec 25, 2012 at 12:27 PM, Jeffrey Walton <noloa...@gmail.com> > wrote: > >> > >> Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or > >> is compression available through other libraries? > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >