Add new directive SSLCompression to disable SSL-level compression.

PR: 53219 Submitted by: Björn Jacke <bjoern j3e de>, Stefan Fritsch git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1345319 13f79535-47bb-0310-9956-ffa450edef68
2025-08-05 16:55:50 +03:00 · 2012-06-01 19:36:37 +00:00
parent bd4d8fd4a2
commit 510d3f904e
6 changed files with 57 additions and 0 deletions
--- a/3
+++ b/3
@@ -1,6 +1,9 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
  *) mod_ssl: Add new directive SSLCompression to disable TLS-level
     compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
  *) core: Make ap_regcomp() return AP_REG_ESPACE if out of memory.  Make
     ap_pregcomp() abort if out of memory. This raises the minimum PCRE
     requirement to version 6.0. PR 53284. [Stefan Fritsch]
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -2382,4 +2382,20 @@ be protected with file permissions similar to those used for
 </usage>
 </directivesynopsis>
 <directivesynopsis>
 <name>SSLCompression</name>
 <description>Disallow compression on the SSL level</description>
 <syntax>SSLCompression on|off</syntax>
 <default>SSLCompression on</default>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
 <compatibility>Available in httpd 2.5.0 and later, if using OpenSSL 0.9.8 or later;
 virtual host scope available if using OpenSSL 1.0.0 or later</compatibility>
 <usage>
 <p>This directive allows to disable compression on the SSL level.</p>
 </usage>
 </directivesynopsis>
 </modulesynopsis>
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -138,6 +138,9 @@ static const command_rec ssl_config_cmds[] = {
                "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
    SSL_CMD_SRV(HonorCipherOrder, FLAG,
                "Use the server's cipher ordering preference")
    SSL_CMD_SRV(Compression, FLAG,
                "Enable SSL level compression"
                "(`on', `off')")
    SSL_CMD_SRV(InsecureRenegotiation, FLAG,
                "Enable support for insecure renegotiation")
    SSL_CMD_ALL(UserName, TAKE1,
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -207,6 +207,7 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
 #ifdef HAVE_FIPS
    sc->fips                   = UNSET;
 #endif
    sc->compression            = UNSET;
    modssl_ctx_init_proxy(sc, p);
@@ -328,6 +329,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv)
 #ifdef HAVE_FIPS
    cfgMergeBool(fips);
 #endif
    cfgMergeBool(compression);
    modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -663,6 +665,23 @@ static const char *ssl_cmd_check_file(cmd_parms *parms,
 }
 const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
 {
 #if defined(SSL_OP_NO_COMPRESSION) || OPENSSL_VERSION_NUMBER >= 0x00908000L
    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
 #ifndef SSL_OP_NO_COMPRESSION
    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
    if (err)
        return "This version of openssl does not support configuring "
               "compression within <VirtualHost> sections.";
 #endif
    sc->compression = flag ? TRUE : FALSE;
    return NULL;
 #else
    return "Setting Compression mode unsupported; not implemented by the SSL library";
 #endif
 }
 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
 {
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -622,6 +622,20 @@ static void ssl_init_ctx_protocol(server_rec *s,
    }
 #endif
 #ifdef SSL_OP_NO_COMPRESSION
    /* OpenSSL >= 1.0 only */
    if (sc->compression == FALSE) {
        SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
    }
 #elif OPENSSL_VERSION_NUMBER >= 0x00908000L
    /* workaround for OpenSSL 0.9.8 */
    if (sc->compression == FALSE) {
        STACK_OF(SSL_COMP)* comp_methods;
        comp_methods = SSL_COMP_get_compression_methods();
        sk_SSL_COMP_zero(comp_methods);
    }
 #endif
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
    if (sc->insecure_reneg == TRUE) {
        SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -678,6 +678,7 @@ struct SSLSrvConfigRec {
 #ifdef HAVE_FIPS
    BOOL             fips;
 #endif
    BOOL             compression;
 };
 /**
@@ -732,6 +733,7 @@ const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
 const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);