From 19fc943f59f72d0e5386838b044f47e4660dd49e Mon Sep 17 00:00:00 2001 From: Travis Cross Date: Sun, 16 Mar 2014 16:07:02 +0000 Subject: [PATCH] Mitigate the CRIME TLS flaw If an attacker can cause a device to make an authenticated request to a service via TLS while including a payload of the attacker's choice in that request, and if TLS compression is enabled, the attacker can uncover the plaintext authentication information by making a series of guesses and observing changes in the length of the ciphertext. This is CVE-2012-4929. FS-6360 --resolve Thanks-to: Brian West --- libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c index 07218159db..97bc5b98ac 100644 --- a/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c +++ b/libs/sofia-sip/libsofia-sip-ua/tport/tport_tls.c @@ -334,6 +334,8 @@ int tls_init_context(tls_t *tls, tls_issues_t const *ti) SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_2); SSL_CTX_sess_set_remove_cb(tls->ctx, NULL); SSL_CTX_set_timeout(tls->ctx, ti->timeout); + /* CRIME (CVE-2012-4929) mitigation */ + SSL_CTX_set_options(tls->ctx, SSL_OP_NO_COMPRESSION); /* Set callback if we have a passphrase */ if (ti->passphrase != NULL) {