generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

RT3234: disable compression

Browse Source 
CRIME protection: disable compression by default, even if OpenSSL is
compiled with zlib enabled. Applications can still enable compression by
calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
the SSL_CONF library to configure compression. SSL_CONF continues to
work as before:

SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.

SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
no-op by default).

The command-line switch has changed from -no_comp to -comp.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Emilia Kasper
2016-02-02 16:26:38 +01:00
parent 0c20802c6a
commit dc5744cb78
6 changed files with 25 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
doc/ssl/SSL_CONF_cmd.pod
View File

@@ -131,9 +131,9 @@ These options are deprecated, instead use B<-min_protocol> and B<-max_protocol>.
Various bug workarounds are set, same as setting B<SSL_OP_ALL>.
=item B<-no_comp>
=item B<-comp>
Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>.
Enables support for SSL/TLS compression, same as clearing B<SSL_OP_NO_COMPRESSION>.
=item B<-no_ticket>
@@ -495,6 +495,10 @@ Disable TLS session tickets:
SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
Enable compression:
SSL_CONF_cmd(ctx, "Options", "Compression");
Set supported curves to P-256, P-384:
SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");