[OpenWrt-Devel] [PATCH 2/6] openssl: add option to disable compression support

Dirk Feytons dirk.feytons at gmail.com
Thu Jun 9 08:35:35 EDT 2016 

On 9 June 2016 at 13:51, Karl Palsson <karlp at tweak.net.au> wrote:
>
> You've changed the default for compression in this patch, was
> that intentional?

Yes. From what I gathered after attacks like CRIME the use of TLS
compression seems to be discouraged.

> Dirk Feytons <dirk.feytons at gmail.com> wrote:
>> Signed-off-by: Dirk Feytons <dirk.feytons at gmail.com>
>> ---
>>  package/libs/openssl/Config.in |    5 +++++
>>  package/libs/openssl/Makefile  |   13 ++++++++++---
>>  2 files changed, 15 insertions(+), 3 deletions(-)
>>
>> diff --git a/package/libs/openssl/Config.in
>> b/package/libs/openssl/Config.in index aa94300..02b5da9 100644
>> --- a/package/libs/openssl/Config.in
>> +++ b/package/libs/openssl/Config.in
>> @@ -20,6 +20,11 @@ config OPENSSL_WITH_DEPRECATED
>>       default y
>>       prompt "Include deprecated APIs"
>>
>> +config OPENSSL_WITH_COMPRESSION
>> +     bool
>> +     default n
>> +     prompt "Enable compression support"
>> +
>>  config OPENSSL_ENGINE_DIGEST
>>       bool
>>       depends on OPENSSL_ENGINE_CRYPTO
>> diff --git a/package/libs/openssl/Makefile
>> b/package/libs/openssl/Makefile index bf040a3..c6824f3 100644
>> --- a/package/libs/openssl/Makefile
>> +++ b/package/libs/openssl/Makefile
>> @@ -34,7 +34,8 @@ PKG_CONFIG_DEPENDS:= \
>>       CONFIG_OPENSSL_WITH_EC2M \
>>       CONFIG_OPENSSL_WITH_SSL3 \
>>       CONFIG_OPENSSL_HARDWARE_SUPPORT \
>> -     CONFIG_OPENSSL_WITH_DEPRECATED
>> +     CONFIG_OPENSSL_WITH_DEPRECATED \
>> +     CONFIG_OPENSSL_WITH_COMPRESSION
>>
>>  include $(INCLUDE_DIR)/package.mk
>>
>> @@ -64,7 +65,7 @@ $(call Package/openssl/Default)
>>    SECTION:=libs
>>    SUBMENU:=SSL
>>    CATEGORY:=Libraries
>> -  DEPENDS:=+zlib
>> +  DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib
>>    TITLE+= (libraries)
>>    ABI_VERSION:=$(PKG_VERSION)
>>    MENU:=1
>> @@ -94,7 +95,7 @@ endef
>>
>>
>>  OPENSSL_NO_CIPHERS:= no-idea no-md2 no-mdc2 no-rc5 no-sha0 no-camellia no-krb5
>> -OPENSSL_OPTIONS:= shared no-err zlib-dynamic no-sse2 no-ssl2
>> +OPENSSL_OPTIONS:= shared no-err no-sse2 no-ssl2
>>
>>  ifdef CONFIG_OPENSSL_ENGINE_CRYPTO
>>    OPENSSL_OPTIONS += -DHAVE_CRYPTODEV
>> @@ -125,6 +126,12 @@ ifndef CONFIG_OPENSSL_WITH_DEPRECATED
>>    OPENSSL_OPTIONS += no-deprecated
>>  endif
>>
>> +ifndef CONFIG_OPENSSL_WITH_COMPRESSION
>> +  OPENSSL_OPTIONS += no-comp
>> +else
>> +  OPENSSL_OPTIONS += zlib-dynamic
>> +endif
>> +
>
> You could use positive logic here if you like.

Sure; I'll swap it around.

>>  ifeq ($(CONFIG_x86_64),y)
>>    OPENSSL_TARGET:=linux-x86_64-openwrt
>>    OPENSSL_MAKEFLAGS += LIBDIR=lib
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list