degesch: disable TLS compression

author: Přemysl Janouch <p.janouch@gmail.com> 2016-01-18 00:44:45 +0100
committer: Přemysl Janouch <p.janouch@gmail.com> 2016-01-18 00:45:20 +0100
commit: 773d14e740fadfc13687a3ff78bf8106380a346c (patch)
tree: 7af5b29876476ba9a6335f0a8498fcd9c6a55b10
parent: 221ae03b5c3ba8ab018909b5815a6985476e99fe (diff)
download: xK-773d14e740fadfc13687a3ff78bf8106380a346c.tar.gz
xK-773d14e740fadfc13687a3ff78bf8106380a346c.tar.xz
xK-773d14e740fadfc13687a3ff78bf8106380a346c.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/degesch.c b/degesch.c
index 1997aea..30af309 100644
--- a/degesch.c
+++ b/degesch.c
@@ -4474,6 +4474,13 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
 	// Disable deprecated protocols (see RFC 7568)
 	SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
 
+	// This seems to consume considerable amounts of memory while not giving
+	// that much in return; in addition to that, I'm not sure about security
+	// (see RFC 7525, section 3.3)
+#ifdef SSL_OP_NO_COMPRESSION
+	SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_COMPRESSION);
+#endif // SSL_OP_NO_COMPRESSION
+
 	const char *ca_file = get_config_string (s->config, "tls_ca_file");
 	const char *ca_path = get_config_string (s->config, "tls_ca_path");
author	Přemysl Janouch <p.janouch@gmail.com>	2016-01-18 00:44:45 +0100
committer	Přemysl Janouch <p.janouch@gmail.com>	2016-01-18 00:45:20 +0100
commit	773d14e740fadfc13687a3ff78bf8106380a346c (patch)
tree	7af5b29876476ba9a6335f0a8498fcd9c6a55b10
parent	221ae03b5c3ba8ab018909b5815a6985476e99fe (diff)
download	xK-773d14e740fadfc13687a3ff78bf8106380a346c.tar.gz xK-773d14e740fadfc13687a3ff78bf8106380a346c.tar.xz xK-773d14e740fadfc13687a3ff78bf8106380a346c.zip