From: Eric Wong Date: Fri, 23 Aug 2024 16:30:29 +0000 (+0000) Subject: tls: set SSL_OP_NO_COMPRESSION explicitly X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b5a8f6bb0aca6fecd218bf08c4af712c46698b1;p=thirdparty%2Fpublic-inbox.git tls: set SSL_OP_NO_COMPRESSION explicitly TLS compression is susceptible to the CRIME attack and per-connection zlib contexts waste memory for idle clients. While compression should already be off by default in modern OpenSSL; Net::SSLeay::CTX_get_mode reveals OP_NO_COMPRESSION was not set when created by IO::Socket::SSL::SSL_Context->new. So set it explicitly to ensure it's really off. --- diff --git a/lib/PublicInbox/TLS.pm b/lib/PublicInbox/TLS.pm index 3ce57f1b4..9a829deff 100644 --- a/lib/PublicInbox/TLS.pm +++ b/lib/PublicInbox/TLS.pm @@ -3,7 +3,7 @@ # IO::Socket::SSL support code package PublicInbox::TLS; -use strict; +use v5.12; use IO::Socket::SSL; use PublicInbox::Syscall qw(EPOLLIN EPOLLOUT); use Carp qw(carp croak); @@ -24,13 +24,16 @@ sub _ctx_new ($) { @{$tlsd->{ssl_ctx_opt}}, SSL_server => 1) or croak "SSL_Context->new: $SSL_ERROR"; - # save ~34K per idle connection (cf. SSL_CTX_set_mode(3ssl)) + # SSL_MODE_RELEASE_BUFFERS saves ~34K per idle connection + # (cf. SSL_CTX_set_mode(3ssl)) # RSS goes from 346MB to 171MB with 10K idle NNTPS clients on amd64 # cf. https://rt.cpan.org/Ticket/Display.html?id=129463 - my $mode = eval { Net::SSLeay::MODE_RELEASE_BUFFERS() }; - if ($mode && $ctx->{context}) { + # SSL_OP_NO_COMPRESSION should be the default in OpenSSL nowadays: + # it avoids the CRIME attack and zlib memory overhead + for my $f (qw(MODE_RELEASE_BUFFERS OP_NO_COMPRESSION)) { + my $mode = eval "Net::SSLeay::$f()" or next; eval { Net::SSLeay::CTX_set_mode($ctx->{context}, $mode) }; - warn "W: $@ (setting SSL_MODE_RELEASE_BUFFERS)\n" if $@; + warn "W: $@ (setting SSL_$f)\n" if $@; } $ctx; }