Explicit disable ssl.use-compression on lighty config. It should fix #4230

1 files changed, 3 insertions, 0 deletions

diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index 1cfdfb5..3d032d4 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -1464,6 +1464,9 @@ EOD;
 		// where ssl.cipher-list is set, this is automatically enabled, but set it explicitly anyway.
 		$lighty_config .= "ssl.honor-cipher-order = \"enable\"\n";
 
+		// Explicit disable compression to mitigate CRIME attack
+		$lighty_config .= "ssl.use-compression = \"disable\"\n";
+
 		$lighty_config .= "ssl.cipher-list = \"AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS\"\n";
 
 		if (!(empty($ca) || (strlen(trim($ca)) == 0))) {