This repository has been archived by the owner. It is now read-only.

Ammend comment to ensure TLS compression is disabled forever more #4018

Closed
kgriffs opened this Issue Sep 14, 2012 · 1 comment

Comments

Projects
None yet
2 participants

kgriffs commented Sep 14, 2012

In light of the recently disclosed CRIME attack, it may be helpful to make a note for posterity in node_crypto.cc, warning them that compression should never be enabled.

The comment below might leave someone to believe that the only benefit is reduced memory consumption.

  // Turn off compression. Saves memory - do it in userland.
#if !defined(OPENSSL_NO_COMP)
  STACK_OF(SSL_COMP)* comp_methods =
#if OPENSSL_VERSION_NUMBER < 0x00908000L
    SSL_COMP_get_compression_method()
#else
    SSL_COMP_get_compression_methods()
#endif
  ;
  sk_SSL_COMP_zero(comp_methods);
  assert(sk_SSL_COMP_num(comp_methods) == 0);
#endif

@indutny reopen if applicable.

@trevnorris trevnorris closed this Jul 26, 2013

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.