Description: mod_ssl: Add new directive SSLCompression to disable TLS-level compression.
Origin: http://svn.apache.org/viewvc?view=revision&revision=1369585

diff -r -U3 httpd-2.2.23/modules/ssl/mod_ssl.c httpd-2.2.23.patched/modules/ssl/mod_ssl.c
--- httpd-2.2.23/modules/ssl/mod_ssl.c	2013-02-14 18:32:59.360289681 -0500
+++ httpd-2.2.23.patched/modules/ssl/mod_ssl.c	2013-02-14 18:34:22.670718893 -0500
@@ -158,6 +158,9 @@
                 "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
     SSL_CMD_SRV(HonorCipherOrder, FLAG,
                 "Use the server's cipher ordering preference")
+    SSL_CMD_SRV(Compression, FLAG,
+                "Enable SSL level compression"
+                "(`on', `off')")
     SSL_CMD_SRV(InsecureRenegotiation, FLAG,
                 "Enable support for insecure renegotiation")
     SSL_CMD_ALL(UserName, TAKE1,
diff -r -U3 httpd-2.2.23/modules/ssl/ssl_engine_config.c httpd-2.2.23.patched/modules/ssl/ssl_engine_config.c
--- httpd-2.2.23/modules/ssl/ssl_engine_config.c	2013-02-14 18:32:59.358289719 -0500
+++ httpd-2.2.23.patched/modules/ssl/ssl_engine_config.c	2013-02-14 18:34:22.672718856 -0500
@@ -183,6 +183,9 @@
 #ifdef HAVE_FIPS
     sc->fips                   = UNSET;
 #endif
+#ifndef OPENSSL_NO_COMP
+    sc->compression            = UNSET;
+#endif
 
     modssl_ctx_init_proxy(sc, p);
 
@@ -281,6 +284,9 @@
 #ifdef HAVE_FIPS
     cfgMergeBool(fips);
 #endif
+#ifndef OPENSSL_NO_COMP
+    cfgMergeBool(compression);
+#endif
 
     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
 
@@ -714,6 +720,23 @@
 
 }
 
+const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
+{
+#if !defined(OPENSSL_NO_COMP)
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+#ifndef SSL_OP_NO_COMPRESSION
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+    if (err)
+        return "This version of openssl does not support configuring "
+               "compression within <VirtualHost> sections.";
+#endif
+    sc->compression = flag ? TRUE : FALSE;
+    return NULL;
+#else
+    return "Setting Compression mode unsupported; not implemented by the SSL library";
+#endif
+}
+
 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
 {
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
Only in httpd-2.2.23.patched/modules/ssl: ssl_engine_config.c.orig
diff -r -U3 httpd-2.2.23/modules/ssl/ssl_engine_init.c httpd-2.2.23.patched/modules/ssl/ssl_engine_init.c
--- httpd-2.2.23/modules/ssl/ssl_engine_init.c	2013-02-14 18:32:59.358289719 -0500
+++ httpd-2.2.23.patched/modules/ssl/ssl_engine_init.c	2013-02-14 18:34:22.672718856 -0500
@@ -542,6 +542,18 @@
     }
 #endif
 
+
+#ifndef OPENSSL_NO_COMP
+    if (sc->compression == FALSE) {
+#ifdef SSL_OP_NO_COMPRESSION
+        /* OpenSSL >= 1.0 only */
+        SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
+#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
+        sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
+#endif
+    }
+#endif
+
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
     if (sc->insecure_reneg == TRUE) {
         SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
Only in httpd-2.2.23.patched/modules/ssl: ssl_engine_init.c.orig
diff -r -U3 httpd-2.2.23/modules/ssl/ssl_private.h httpd-2.2.23.patched/modules/ssl/ssl_private.h
--- httpd-2.2.23/modules/ssl/ssl_private.h	2013-02-14 18:32:59.357289737 -0500
+++ httpd-2.2.23.patched/modules/ssl/ssl_private.h	2013-02-14 18:34:22.673718837 -0500
@@ -507,6 +507,9 @@
 #ifdef HAVE_FIPS
     BOOL             fips;
 #endif
+#ifndef OPENSSL_NO_COMP
+    BOOL             compression;
+#endif
 };
 
 /**
@@ -563,6 +566,7 @@
 const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
+const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
 const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
Only in httpd-2.2.23.patched/modules/ssl: ssl_private.h.orig
diff -r -U3 httpd-2.2.23/modules/ssl/ssl_toolkit_compat.h httpd-2.2.23.patched/modules/ssl/ssl_toolkit_compat.h
--- httpd-2.2.23/modules/ssl/ssl_toolkit_compat.h	2012-08-17 13:30:46.000000000 -0400
+++ httpd-2.2.23.patched/modules/ssl/ssl_toolkit_compat.h	2013-02-14 18:34:22.674718818 -0500
@@ -277,6 +277,11 @@
 #endif
 #endif
 
+#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
+    && OPENSSL_VERSION_NUMBER < 0x00908000L
+#define OPENSSL_NO_COMP
+#endif
+
 #endif /* SSL_TOOLKIT_COMPAT_H */
 
 /** @} */
Only in httpd-2.2.23.patched/modules/ssl: ssl_toolkit_compat.h.orig