Looks to me like you already have my SSL patches applied (hence the ssl_op_enable and ssl_op_disable references)... You probably need only add it to ssl_op_enable at the top of that function. (i.e. SSL_OP_ALL | SSL_OP_NO_COMPRESSION) This will make sure the flag is set in SNI config blocks as well.
I'm not sure if it's appropriate to set for HTTPS backends as well. (They're within our "trusted" network anyway... so network scanning hopefully is more unlikely) but you'd want to catch those ctx options as well. Joe > -----Original Message----- > From: Hereward Cooper [mailto:[email protected]] > Sent: Friday, October 05, 2012 10:40 AM > To: [email protected] > Subject: [Pound Mailing List] Disabling SSL Compression (one line > patch) > > Hi pound folks, > > I've successfully disabled SSL compression in pound (a requirement for > a platform which needs to be hardened against the CRIME attack). > > I'd not seen any mention of this on the mailing lists so far, so I > thought I'd mention how I did it (and ask for any comments for > improvements on my method). > > This site[1] described the SSL_OP_NO_COMPRESSION option, which I've > added to my pound's config.c file. > > Just for the record this is built against "OpenSSL 1.0.1c-fips" which I > described putting into place on CentOS 6 here[2]. > > Any comments on my first pound patch? > > --- config.c.orig 2012-10-05 14:57:53.652702376 +0100 > +++ config.c 2012-10-05 15:12:36.516952267 +0100 > @@ -1136,6 +1136,7 @@ > SSL_CTX_set_app_data(pc->ctx, res); > SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY); > SSL_CTX_set_options(pc->ctx, ssl_op_enable); > + SSL_CTX_set_options(pc->ctx, SSL_OP_NO_COMPRESSION); > SSL_CTX_clear_options(pc->ctx, ssl_op_disable); > sprintf(lin, "%d-Pound-%ld", getpid(), random()); > SSL_CTX_set_session_id_context(pc->ctx, (unsigned char > *)lin, strlen(lin)); > > > [1] http://www.dest-unreach.org/socat/contrib/socat- > opensslcompress.html > [2] http://tech.fawk.eu/233/ > > -- > Coops > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
