Hi pound folks,
I've successfully disabled SSL compression in pound (a requirement for
a platform which needs to be hardened against the CRIME attack).
I'd not seen any mention of this on the mailing lists so far, so I
thought I'd mention how I did it (and ask for any comments for
improvements on my method).
This site[1] described the SSL_OP_NO_COMPRESSION option, which I've
added to my pound's config.c file.
Just for the record this is built against "OpenSSL 1.0.1c-fips" which
I described putting into place on CentOS 6 here[2].
Any comments on my first pound patch?
--- config.c.orig 2012-10-05 14:57:53.652702376 +0100
+++ config.c 2012-10-05 15:12:36.516952267 +0100
@@ -1136,6 +1136,7 @@
SSL_CTX_set_app_data(pc->ctx, res);
SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_options(pc->ctx, ssl_op_enable);
+ SSL_CTX_set_options(pc->ctx, SSL_OP_NO_COMPRESSION);
SSL_CTX_clear_options(pc->ctx, ssl_op_disable);
sprintf(lin, "%d-Pound-%ld", getpid(), random());
SSL_CTX_set_session_id_context(pc->ctx, (unsigned
char *)lin, strlen(lin));
[1] http://www.dest-unreach.org/socat/contrib/socat-opensslcompress.html
[2] http://tech.fawk.eu/233/
--
Coops
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
