diff options
| author | Ben Noordhuis <info@bnoordhuis.nl> | 2016-05-04 20:15:53 +0200 |
|---|---|---|
| committer | Ben Noordhuis <info@bnoordhuis.nl> | 2016-05-05 00:26:26 +0200 |
| commit | e6b35f4a86e788659d8ba2dada815492480a1382 (patch) | |
| tree | 0dd8914938bb91685f6eb7b3a8f96af445a36965 /deps/openssl/openssl.gypi | |
| parent | 330ea769efe83d4a117c86f482998a9613d51230 (diff) | |
| download | android-node-v8-e6b35f4a86e788659d8ba2dada815492480a1382.tar.gz android-node-v8-e6b35f4a86e788659d8ba2dada815492480a1382.tar.bz2 android-node-v8-e6b35f4a86e788659d8ba2dada815492480a1382.zip | |
crypto: disable ssl compression at build time
SSL compression was first disabled at runtime in March 2011 in commit
e83c6959 ("Disable compression with OpenSSL.") for performance reasons
and was later shown to be vulnerable to information leakage (CRIME.)
Let's stop compiling it in altogether.
This commit removes a broken CHECK from src/node_crypto.cc; broken
because sk_SSL_COMP_num() returns -1 for a NULL stack, not 0. As a
result, node.js would abort when linked to an OPENSSL_NO_COMP build
of openssl.
PR-URL: https://github.com/nodejs/node/pull/6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'deps/openssl/openssl.gypi')
| -rw-r--r-- | deps/openssl/openssl.gypi | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/deps/openssl/openssl.gypi b/deps/openssl/openssl.gypi index 63286a1a64..73aff917d7 100644 --- a/deps/openssl/openssl.gypi +++ b/deps/openssl/openssl.gypi @@ -214,10 +214,6 @@ 'openssl/crypto/cms/cms_pwri.c', 'openssl/crypto/cms/cms_sd.c', 'openssl/crypto/cms/cms_smime.c', - 'openssl/crypto/comp/c_rle.c', - 'openssl/crypto/comp/c_zlib.c', - 'openssl/crypto/comp/comp_err.c', - 'openssl/crypto/comp/comp_lib.c', 'openssl/crypto/conf/conf_api.c', 'openssl/crypto/conf/conf_def.c', 'openssl/crypto/conf/conf_err.c', @@ -1252,6 +1248,9 @@ 'PURIFY', '_REENTRANT', + # Compression is not used and considered insecure (CRIME.) + 'OPENSSL_NO_COMP', + # SSLv3 is susceptible to downgrade attacks (POODLE.) 'OPENSSL_NO_SSL3', |