Disable SSL compression by default.

Disable SSL compression by default since this appears to be the a likely cause of the currently hyped CRIME attack. This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74 from qt5. Change-Id: I8fd01c2a230804d88ffa4599e7fd9293a8af9e0f Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
author: Richard Moore <rich@kde.org> 2012-09-18 22:06:15 +0100
committer: Marko Valtanen <marko.valtanen@digia.com> 2012-12-04 15:20:37 +0200
commit: 9cecd48c2654fec22a8a3dbb836dea7b82473eb7 (patch)
tree: d472e0ee486a2b8850471913e3bdd8cec3b5d176
parent: 510e9a642b251e6ef17d0d996954599e271e7f5e (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index bf3e3fe8df..0b218df002 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -278,7 +278,13 @@ init_context:
     }
 
     // Enable all bug workarounds.
+#ifdef SSL_OP_NO_COMPRESSION
+    // If compression is available, then disable it to avoid the CRIME attack
+    // if it is not available then we're not vulnerable anyway.
+    q_SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_COMPRESSION);
+#else
     q_SSL_CTX_set_options(ctx, SSL_OP_ALL);
+#endif
 
     // Initialize ciphers
     QByteArray cipherString;
author	Richard Moore <rich@kde.org>	2012-09-18 22:06:15 +0100
committer	Marko Valtanen <marko.valtanen@digia.com>	2012-12-04 15:20:37 +0200
commit	9cecd48c2654fec22a8a3dbb836dea7b82473eb7 (patch)
tree	d472e0ee486a2b8850471913e3bdd8cec3b5d176
parent	510e9a642b251e6ef17d0d996954599e271e7f5e (diff)