mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-25 04:43:31 +01:00
Improve comment about why we disable TLS compression.
Closes bug 22964. Based on Teor's replacement there, but tries to put the comment in a more logical place, and explain why we're actually disabling compression in the first place.
This commit is contained in:
parent
10331081c7
commit
db1664e593
@ -1174,17 +1174,20 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
|
|||||||
SSL_CTX_set_options(result->ctx,
|
SSL_CTX_set_options(result->ctx,
|
||||||
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
|
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Don't actually allow compression; it uses RAM and time, it makes TLS
|
||||||
|
* vulnerable to CRIME-style attacks, and most of the data we transmit over
|
||||||
|
* TLS is encrypted (and therefore uncompressible) anyway. */
|
||||||
#ifdef SSL_OP_NO_COMPRESSION
|
#ifdef SSL_OP_NO_COMPRESSION
|
||||||
SSL_CTX_set_options(result->ctx, SSL_OP_NO_COMPRESSION);
|
SSL_CTX_set_options(result->ctx, SSL_OP_NO_COMPRESSION);
|
||||||
#endif
|
#endif
|
||||||
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
|
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
|
||||||
#ifndef OPENSSL_NO_COMP
|
#ifndef OPENSSL_NO_COMP
|
||||||
/* Don't actually allow compression; it uses ram and time, but the data
|
|
||||||
* we transmit is all encrypted anyway. */
|
|
||||||
if (result->ctx->comp_methods)
|
if (result->ctx->comp_methods)
|
||||||
result->ctx->comp_methods = NULL;
|
result->ctx->comp_methods = NULL;
|
||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef SSL_MODE_RELEASE_BUFFERS
|
#ifdef SSL_MODE_RELEASE_BUFFERS
|
||||||
SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
|
SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
|
||||||
#endif
|
#endif
|
||||||
|
Loading…
Reference in New Issue
Block a user