degesch: disable TLS compression

2016-01-18 00:44:45 +01:00 · 2016-01-18 00:44:45 +01:00 · 773d14e740
parent 221ae03b5c
commit 773d14e740
1 changed files with 7 additions and 0 deletions
--- a/degesch.c
+++ b/degesch.c
@ -4474,6 +4474,13 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
 	// Disable deprecated protocols (see RFC 7568)
 	SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

+	// This seems to consume considerable amounts of memory while not giving
+	// that much in return; in addition to that, I'm not sure about security
+	// (see RFC 7525, section 3.3)
+#ifdef SSL_OP_NO_COMPRESSION
+	SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_COMPRESSION);
+#endif // SSL_OP_NO_COMPRESSION
+
 	const char *ca_file = get_config_string (s->config, "tls_ca_file");
 	const char *ca_path = get_config_string (s->config, "tls_ca_path");