Also, it appears that option only exists in OPENSSL 1.0 versions. So you'll probably need to surround it with an ifdef.
Joe > -----Original Message----- > From: Joe Gooch > Sent: Friday, October 05, 2012 11:42 AM > To: '[email protected]' > Subject: RE: [Pound Mailing List] Disabling SSL Compression (one line > patch) > > Looks to me like you already have my SSL patches applied (hence the > ssl_op_enable and ssl_op_disable references)... You probably need only > add it to ssl_op_enable at the top of that function. (i.e. SSL_OP_ALL | > SSL_OP_NO_COMPRESSION) This will make sure the flag is set in SNI > config blocks as well. > > I'm not sure if it's appropriate to set for HTTPS backends as well. > (They're within our "trusted" network anyway... so network scanning > hopefully is more unlikely) but you'd want to catch those ctx options > as well. > > Joe > > > -----Original Message----- > > From: Hereward Cooper [mailto:[email protected]] > > Sent: Friday, October 05, 2012 10:40 AM > > To: [email protected] > > Subject: [Pound Mailing List] Disabling SSL Compression (one line > > patch) > > > > Hi pound folks, > > > > I've successfully disabled SSL compression in pound (a requirement > for > > a platform which needs to be hardened against the CRIME attack). > > > > I'd not seen any mention of this on the mailing lists so far, so I > > thought I'd mention how I did it (and ask for any comments for > > improvements on my method). > > > > This site[1] described the SSL_OP_NO_COMPRESSION option, which I've > > added to my pound's config.c file. > > > > Just for the record this is built against "OpenSSL 1.0.1c-fips" which > > I described putting into place on CentOS 6 here[2]. > > > > Any comments on my first pound patch? > > > > --- config.c.orig 2012-10-05 14:57:53.652702376 +0100 > > +++ config.c 2012-10-05 15:12:36.516952267 +0100 > > @@ -1136,6 +1136,7 @@ > > SSL_CTX_set_app_data(pc->ctx, res); > > SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY); > > SSL_CTX_set_options(pc->ctx, ssl_op_enable); > > + SSL_CTX_set_options(pc->ctx, SSL_OP_NO_COMPRESSION); > > SSL_CTX_clear_options(pc->ctx, ssl_op_disable); > > sprintf(lin, "%d-Pound-%ld", getpid(), random()); > > SSL_CTX_set_session_id_context(pc->ctx, (unsigned > > char *)lin, strlen(lin)); > > > > > > [1] http://www.dest-unreach.org/socat/contrib/socat- > > opensslcompress.html > > [2] http://tech.fawk.eu/233/ > > > > -- > > Coops > > > > -- > > To unsubscribe send an email with subject unsubscribe to > > [email protected]. > > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
