diff options
author | Přemysl Janouch <p.janouch@gmail.com> | 2016-01-18 00:44:45 +0100 |
---|---|---|
committer | Přemysl Janouch <p.janouch@gmail.com> | 2016-01-18 00:45:20 +0100 |
commit | 773d14e740fadfc13687a3ff78bf8106380a346c (patch) | |
tree | 7af5b29876476ba9a6335f0a8498fcd9c6a55b10 | |
parent | 221ae03b5c3ba8ab018909b5815a6985476e99fe (diff) | |
download | xK-773d14e740fadfc13687a3ff78bf8106380a346c.tar.gz xK-773d14e740fadfc13687a3ff78bf8106380a346c.tar.xz xK-773d14e740fadfc13687a3ff78bf8106380a346c.zip |
degesch: disable TLS compression
-rw-r--r-- | degesch.c | 7 |
1 files changed, 7 insertions, 0 deletions
@@ -4474,6 +4474,13 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e) // Disable deprecated protocols (see RFC 7568) SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + // This seems to consume considerable amounts of memory while not giving + // that much in return; in addition to that, I'm not sure about security + // (see RFC 7525, section 3.3) +#ifdef SSL_OP_NO_COMPRESSION + SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_COMPRESSION); +#endif // SSL_OP_NO_COMPRESSION + const char *ca_file = get_config_string (s->config, "tls_ca_file"); const char *ca_path = get_config_string (s->config, "tls_ca_path"); |