Explicit disable ssl.use-compression on lighty config. It should fix #4230

author: Renato Botelho <garga@FreeBSD.org> 2015-03-11 14:09:22 -0300
committer: Renato Botelho <garga@FreeBSD.org> 2015-03-11 14:09:31 -0300
commit: cd8ce13c29fb03714d90c4e9599b77aa1faa1a80 (patch)
tree: 4e342b5d46a92f252133b38f824fb6f01c92777a
parent: 8304fb462a0afebd93546af043ce741096a5ee1b (diff)
download: pfsense-cd8ce13c29fb03714d90c4e9599b77aa1faa1a80.zip
pfsense-cd8ce13c29fb03714d90c4e9599b77aa1faa1a80.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index 06e7bbe..e90a90d 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -1344,6 +1344,9 @@ EOD;
 		// where ssl.cipher-list is set, this is automatically enabled, but set it explicitly anyway.
 		$lighty_config .= "ssl.honor-cipher-order = \"enable\"\n";
 
+		// Explicit disable compression to mitigate CRIME attack
+		$lighty_config .= "ssl.use-compression = \"disable\"\n";
+
 		$lighty_config .= "ssl.cipher-list = \"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS\"\n";
 
 		if(!(empty($ca) || (strlen(trim($ca)) == 0)))
author	Renato Botelho <garga@FreeBSD.org>	2015-03-11 14:09:22 -0300
committer	Renato Botelho <garga@FreeBSD.org>	2015-03-11 14:09:31 -0300
commit	cd8ce13c29fb03714d90c4e9599b77aa1faa1a80 (patch)
tree	4e342b5d46a92f252133b38f824fb6f01c92777a
parent	8304fb462a0afebd93546af043ce741096a5ee1b (diff)
download	pfsense-cd8ce13c29fb03714d90c4e9599b77aa1faa1a80.zip pfsense-cd8ce13c29fb03714d90c4e9599b77aa1faa1a80.tar.gz