]> git.ipfire.org Git - thirdparty/haproxy.git/commit
projects / thirdparty / haproxy.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0ea6011) | patch
MINOR: ssl: allow to disable certificate compression 20260127-openssl-compression flx04/20260127-openssl-compression
authorWilliam Lallemand <wlallemand@haproxy.com>
Tue, 27 Jan 2026 11:25:25 +0000 (12:25 +0100)
committerWilliam Lallemand <wlallemand@haproxy.com>
Tue, 27 Jan 2026 15:10:41 +0000 (16:10 +0100)
commit6995fe60c32726830786be229c0531ce5fe531ae
tree44b6bf09ec1fec1f65f95c16690f6898b5b2bde1tree | snapshot
parent0ea601127eb0069b9f04382120526413763cdaf9commit | diff
MINOR: ssl: allow to disable certificate compression

This option allows to disable the certificate compression (RFC 8879)
using OpenSSL >= 3.2.0.

This feature is known to permit some denial of services by causing extra
memory allocations of approximately 22MiB and extra CPU work per
connection with OpenSSL versions affected by CVE-2025-66199.
( https://openssl-library.org/news/vulnerabilities/index.html#CVE-2025-66199 )

Setting this to "off" permits to mitigate the problem.

Must be backported to every stable branches.
doc/configuration.txt diff | blob | blame | history
include/haproxy/ssl_sock-t.h diff | blob | blame | history
src/cfgparse-ssl.c diff | blob | blame | history
src/ssl_sock.c diff | blob | blame | history
Mirror of https://github.com/haproxy/haproxy.git