From fd3384eab190ee53d8abc1fc19a0899ae6a7a7f7 Mon Sep 17 00:00:00 2001
From: Richard Moore <rich@kde.org>
Date: Tue, 18 Sep 2012 22:06:15 +0100
Subject: Disable SSL compression by default.

Disable SSL compression by default since this appears to be the a likely
cause of the currently hyped CRIME attack.

This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74
from qt5.

Change-Id: I8fd01c2a230804d88ffa4599e7fd9293a8af9e0f
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Shane Kearns <shane.kearns@accenture.com>
---
 src/network/ssl/qsslsocket_openssl.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 949b509..e305822 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -264,7 +264,13 @@ init_context:
     }
 
     // Enable all bug workarounds.
+#ifdef SSL_OP_NO_COMPRESSION
+    // If compression is available, then disable it to avoid the CRIME attack
+    // if it is not available then we're not vulnerable anyway.
+    q_SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_COMPRESSION);
+#else
     q_SSL_CTX_set_options(ctx, SSL_OP_ALL);
+#endif
 
     // Initialize ciphers
     QByteArray cipherString;
-- 
cgit v0.12