[CDRIVER-1369] Set SSL_OP_NO_COMPRESSION by default Created: 11/Jul/16 Updated: 19/Dec/16 Resolved: 13/Jul/16 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 1.4.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Hannes Magnusson | Assignee: | Hannes Magnusson |
| Resolution: | Done | Votes: | 0 |
| Labels: | intern2016 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Epic Link: | TLS Improvements | ||||||||
| Description |
|
TLS Compression is dangerous and should be avoided on the public internet. It is disabled by default in OpenSSL 1.1.0 and later, but needs to be explicitly disabled for earlier releases. From client perspective, we should protect our clients by ensuring SSL_OP_NO_COMPRESSION is set on the client side, making it irrelevant if the server lib supports it or not. We should check if Secure Transport or Secure Channel needs similar workaround to disable compression |
| Comments |
| Comment by Hannes Magnusson [ 13/Jul/16 ] |
|
Secure Transport & Secure Channel do not support compression, nothing to do there. |
| Comment by Githook User [ 13/Jul/16 ] |
|
Author: {u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}Message: Darwin TLS & Windows TLS do not support compression |