[
https://issues.apache.org/jira/browse/PROTON-717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14173826#comment-14173826
]
Ken Giusti commented on PROTON-717:
-----------------------------------
This can be fixed with the following patch:
diff --git a/proton-c/src/ssl/openssl.c b/proton-c/src/ssl/openssl.c
index 7c71eef..c9536e2 100644
--- a/proton-c/src/ssl/openssl.c
+++ b/proton-c/src/ssl/openssl.c
@@ -481,6 +481,10 @@ pn_ssl_domain_t *pn_ssl_domain( pn_ssl_mode_t mode )
}
const long reject_insecure = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
SSL_CTX_set_options(domain->ctx, reject_insecure);
+#ifdef SSL_OP_NO_COMPRESSION
+ // Mitigate the CRIME vulnerability
+ SSL_CTX_set_options(domain->ctx, SSL_OP_NO_COMPRESSION);
+#endif
// by default, allow anonymous ciphers so certificates are not required 'out
of the box'
if (!SSL_CTX_set_cipher_list( domain->ctx, CIPHERS_ANONYMOUS )) {
> Disable SSL compression
> -----------------------
>
> Key: PROTON-717
> URL: https://issues.apache.org/jira/browse/PROTON-717
> Project: Qpid Proton
> Issue Type: Bug
> Components: proton-c
> Affects Versions: 0.7
> Reporter: Ken Giusti
> Assignee: Ken Giusti
> Fix For: 0.8
>
>
> Disable the OpenSSL compression option. This mitigates the CRIME
> vulnerability.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
