From: Ben Darnell <ben@bendarnell.com>
Date: Sun, 15 Feb 2015 23:35:07 +0000 (-0500)
Subject: Disable SSL compression on py32-33.
X-Git-Tag: v4.2.0b1~108
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d38de67f94590d0d9f7d0667a173dd5d459c51d;p=thirdparty%2Ftornado.git

Disable SSL compression on py32-33.

This passes howsmyssl.com for python 2.7.9 and above; the older
versions are fairly hopeless.
---

diff --git a/tornado/netutil.py b/tornado/netutil.py
index 1a07e942a..48355f947 100644
--- a/tornado/netutil.py
+++ b/tornado/netutil.py
@@ -66,6 +66,12 @@ if hasattr(ssl, 'SSLContext'):
         _client_ssl_defaults.verify_mode = ssl.CERT_REQUIRED
         _client_ssl_defaults.load_verify_locations(certifi.where())
         _server_ssl_defaults = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        if hasattr(ssl, 'OP_NO_COMPRESSION'):
+            # Disable TLS compression to avoid CRIME and related attacks.
+            # This constant wasn't added until python 3.3.
+            _client_ssl_defaults.options |= ssl.OP_NO_COMPRESSION
+            _server_ssl_defaults.options |= ssl.OP_NO_COMPRESSION
+
 else:
     # Python 2.6-2.7.8
     _client_ssl_defaults = dict(cert_reqs=ssl.CERT_REQUIRED,