Message ID | 20170129211511.9747-1-joerg.krause@embedded.rocks |
---|---|
State | Accepted |
Headers | show |
Hello, On Sun, 29 Jan 2017 22:15:11 +0100, Jörg Krause wrote: > To enable compression support using zlib it is necessary to uncomment > the define for MBEDTLS_ZLIB_SUPPORT in config.h [1]. > > Note, that enabling TLS compression may make mbedTLS vulnerable to the > CRIME attack [1]. It should not be enabled unless is is sure CRIME and > similar attacks are not applicable to the particulare situation. > > As zlib is probably enabled in most systems, maybe it is best to make > the compression support a user choice and add the warning from [1]? Yes, please do this, it seems to make sense. > [1] https://tls.mbed.org/kb/how-to/deflate-compression-in-ssl-tls > > Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> > --- > package/mbedtls/mbedtls.mk | 5 +++++ > 1 file changed, 5 insertions(+) Applied to master, thanks. Thomas
diff --git a/package/mbedtls/mbedtls.mk b/package/mbedtls/mbedtls.mk index a8bd61f12..7171af9f9 100644 --- a/package/mbedtls/mbedtls.mk +++ b/package/mbedtls/mbedtls.mk @@ -42,6 +42,11 @@ endif ifeq ($(BR2_PACKAGE_ZLIB),y) MBEDTLS_CONF_OPTS += -DENABLE_ZLIB_SUPPORT=ON MBEDTLS_DEPENDENCIES += zlib +define MBEDTLS_ENABLE_ZLIB + $(SED) "s://#define MBEDTLS_ZLIB_SUPPORT:#define MBEDTLS_ZLIB_SUPPORT:" \ + $(@D)/include/mbedtls/config.h +endef +MBEDTLS_POST_PATCH_HOOKS += MBEDTLS_ENABLE_ZLIB else MBEDTLS_CONF_OPTS += -DENABLE_ZLIB_SUPPORT=OFF endif
To enable compression support using zlib it is necessary to uncomment the define for MBEDTLS_ZLIB_SUPPORT in config.h [1]. Note, that enabling TLS compression may make mbedTLS vulnerable to the CRIME attack [1]. It should not be enabled unless is is sure CRIME and similar attacks are not applicable to the particulare situation. As zlib is probably enabled in most systems, maybe it is best to make the compression support a user choice and add the warning from [1]? [1] https://tls.mbed.org/kb/how-to/deflate-compression-in-ssl-tls Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> --- package/mbedtls/mbedtls.mk | 5 +++++ 1 file changed, 5 insertions(+)