source: trunk/server/common/patches/httpd-SSLCompression.patch @ 2335

Last change on this file since 2335 was 2321, checked in by geofft, 10 years ago
Disable SSL compression to defend against rumored side-channel attack
File size: 4.5 KB
  • modules/ssl/mod_ssl.c

    Description: mod_ssl: Add new directive SSLCompression to disable TLS-level compression.
    Origin: http://svn.apache.org/viewvc?view=revision&revision=1369585
    
    diff -Naur httpd-2.2.22/modules/ssl/mod_ssl.c httpd-2.2.22.patched/modules/ssl/mod_ssl.c
    old new  
    146146                "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
    147147    SSL_CMD_SRV(HonorCipherOrder, FLAG,
    148148                "Use the server's cipher ordering preference")
     149    SSL_CMD_SRV(Compression, FLAG,
     150                "Enable SSL level compression"
     151                "(`on', `off')")
    149152    SSL_CMD_SRV(InsecureRenegotiation, FLAG,
    150153                "Enable support for insecure renegotiation")
    151154    SSL_CMD_ALL(UserName, TAKE1,
  • modules/ssl/ssl_engine_config.c

    diff -Naur httpd-2.2.22/modules/ssl/ssl_engine_config.c httpd-2.2.22.patched/modules/ssl/ssl_engine_config.c
    old new  
    178178#ifdef HAVE_FIPS
    179179    sc->fips                   = UNSET;
    180180#endif
     181#ifndef OPENSSL_NO_COMP
     182    sc->compression            = UNSET;
     183#endif
    181184
    182185    modssl_ctx_init_proxy(sc, p);
    183186
     
    275278#ifdef HAVE_FIPS
    276279    cfgMergeBool(fips);
    277280#endif
     281#ifndef OPENSSL_NO_COMP
     282    cfgMergeBool(compression);
     283#endif
    278284
    279285    modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
    280286
     
    708714
    709715}
    710716
     717const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
     718{
     719#if !defined(OPENSSL_NO_COMP)
     720    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
     721#ifndef SSL_OP_NO_COMPRESSION
     722    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
     723    if (err)
     724        return "This version of openssl does not support configuring "
     725               "compression within <VirtualHost> sections.";
     726#endif
     727    sc->compression = flag ? TRUE : FALSE;
     728    return NULL;
     729#else
     730    return "Setting Compression mode unsupported; not implemented by the SSL library";
     731#endif
     732}
     733
    711734const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
    712735{
    713736#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
  • modules/ssl/ssl_engine_init.c

    diff -Naur httpd-2.2.22/modules/ssl/ssl_engine_init.c httpd-2.2.22.patched/modules/ssl/ssl_engine_init.c
    old new  
    503503    }
    504504#endif
    505505
     506
     507#ifndef OPENSSL_NO_COMP
     508    if (sc->compression == FALSE) {
     509#ifdef SSL_OP_NO_COMPRESSION
     510        /* OpenSSL >= 1.0 only */
     511        SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
     512#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
     513        sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
     514#endif
     515    }
     516#endif
     517
    506518#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
    507519    if (sc->insecure_reneg == TRUE) {
    508520        SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  • modules/ssl/ssl_private.h

    diff -Naur httpd-2.2.22/modules/ssl/ssl_private.h httpd-2.2.22.patched/modules/ssl/ssl_private.h
    old new  
    486486#ifdef HAVE_FIPS
    487487    BOOL             fips;
    488488#endif
     489#ifndef OPENSSL_NO_COMP
     490    BOOL             compression;
     491#endif
    489492};
    490493
    491494/**
     
    542545const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
    543546const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
    544547const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
     548const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
    545549const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
    546550const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
    547551const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
  • modules/ssl/ssl_toolkit_compat.h

    diff -Naur httpd-2.2.22/modules/ssl/ssl_toolkit_compat.h httpd-2.2.22.patched/modules/ssl/ssl_toolkit_compat.h
    old new  
    276276#endif
    277277#endif
    278278
     279#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
     280    && OPENSSL_VERSION_NUMBER < 0x00908000L
     281#define OPENSSL_NO_COMP
     282#endif
     283
    279284#endif /* SSL_TOOLKIT_COMPAT_H */
    280285
    281286/** @} */
Note: See TracBrowser for help on using the repository browser.