diff --git a/deps/openssl/openssl.gypi b/deps/openssl/openssl.gypi index 63286a1a64..73aff917d7 100644 --- a/deps/openssl/openssl.gypi +++ b/deps/openssl/openssl.gypi @@ -214,10 +214,6 @@ 'openssl/crypto/cms/cms_pwri.c', 'openssl/crypto/cms/cms_sd.c', 'openssl/crypto/cms/cms_smime.c', - 'openssl/crypto/comp/c_rle.c', - 'openssl/crypto/comp/c_zlib.c', - 'openssl/crypto/comp/comp_err.c', - 'openssl/crypto/comp/comp_lib.c', 'openssl/crypto/conf/conf_api.c', 'openssl/crypto/conf/conf_def.c', 'openssl/crypto/conf/conf_err.c', @@ -1252,6 +1248,9 @@ 'PURIFY', '_REENTRANT', + # Compression is not used and considered insecure (CRIME.) + 'OPENSSL_NO_COMP', + # SSLv3 is susceptible to downgrade attacks (POODLE.) 'OPENSSL_NO_SSL3', diff --git a/src/node_crypto.cc b/src/node_crypto.cc index a143576227..d46e8a42a9 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -5721,15 +5721,8 @@ void InitCryptoOnce() { // Turn off compression. Saves memory and protects against CRIME attacks. -#if !defined(OPENSSL_NO_COMP) -#if OPENSSL_VERSION_NUMBER < 0x00908000L - STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_method(); -#else - STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_methods(); -#endif - sk_SSL_COMP_zero(comp_methods); - CHECK_EQ(sk_SSL_COMP_num(comp_methods), 0); -#endif + // No-op with OPENSSL_NO_COMP builds of OpenSSL. + sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); #ifndef OPENSSL_NO_ENGINE ERR_load_ENGINE_strings();