From a95ef639953dbfe505f3b1ab68fc98f17a0c652c Mon Sep 17 00:00:00 2001 From: "Scott J. Goldman" Date: Tue, 20 Oct 2015 01:37:26 -0700 Subject: [PATCH] Disable SSL Compression Mitigates the CRIME attack: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls --- ext/puma_http11/mini_ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/puma_http11/mini_ssl.c b/ext/puma_http11/mini_ssl.c index df019c87..c5d11f1b 100644 --- a/ext/puma_http11/mini_ssl.c +++ b/ext/puma_http11/mini_ssl.c @@ -143,7 +143,7 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) { SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL); } - SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE); + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");