blob: 49b4728b84f9c8114d7f21704a8d0a6e10d5eecd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
Description: Disable SSL compression.
Mitigates the SSL CRIME (CVE-2012-4929) attacks.
Upstream patch uses option only present in wheezy openssl, so
this code is needed to actually disable compression in squeeze.
Forwarded: not-needed
Bug-Debian: http://bugs.debian.org/700399
diff -Nur lighttpd-1.4.28/src/network.c lighttpd-1.4.28.new/src/network.c
--- lighttpd-1.4.28/src/network.c 2013-02-12 15:20:23.000000000 +0100
+++ lighttpd-1.4.28.new/src/network.c 2013-02-12 15:19:51.954559635 +0100
@@ -566,6 +566,9 @@
}
}
+ /* Debian: disable ssl compression to mitigate CRIME attack. */
+ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
+
if (!buffer_is_empty(s->ssl_cipher_list)) {
/* Disable support for low encryption ciphers */
if (SSL_CTX_set_cipher_list(s->ssl_ctx, s->ssl_cipher_list->ptr) != 1) {
|
