www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

Change default for SSLCompression to off, as compression

Browse Source 
causes security issues in most setups


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1400700 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Fritsch
2012-10-21 19:15:43 +00:00
parent 0b12da4973
commit f55dd489b1
3 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,6 +1,10 @@
-*- coding: utf-8 -*- -*- coding: utf-8 -*-
Changes with Apache 2.5.0 Changes with Apache 2.5.0
*) mod_ssl: Change default for SSLCompression to off, as compression
causes security issues in most setups. (The so called "CRIME" attack).
[Stefan Fritsch]
*) syslog logging: Remove stray ", referer" at the end of some messages. *) syslog logging: Remove stray ", referer" at the end of some messages.
[Jeff Trawick] [Jeff Trawick]

13
docs/manual/mod/mod_ssl.xml
View File

@@ -2446,16 +2446,21 @@ be protected with file permissions similar to those used for
<directivesynopsis> <directivesynopsis>
<name>SSLCompression</name> <name>SSLCompression</name>
<description>Disallow compression on the SSL level</description> <description>Enable compression on the SSL level</description>
<syntax>SSLCompression on|off</syntax> <syntax>SSLCompression on|off</syntax>
<default>SSLCompression on</default> <default>SSLCompression off</default>
<contextlist><context>server config</context> <contextlist><context>server config</context>
<context>virtual host</context></contextlist> <context>virtual host</context></contextlist>
<compatibility>Available in httpd 2.4.3 and later, if using OpenSSL 0.9.8 or later; <compatibility>Available in httpd 2.4.3 and later, if using OpenSSL 0.9.8 or later;
virtual host scope available if using OpenSSL 1.0.0 or later</compatibility> virtual host scope available if using OpenSSL 1.0.0 or later.
The default used to be <code>on</code> in version 2.4.3.</compatibility>
<usage> <usage>
<p>This directive allows to disable compression on the SSL level.</p> <p>This directive allows to enable compression on the SSL level.</p>
<note type="warning">
<p>Enabling compression causes security issues in most setups (the so called
CRIME attack).</p>
</note>
</usage> </usage>
</directivesynopsis> </directivesynopsis>

2
modules/ssl/ssl_engine_init.c
View File

@@ -656,7 +656,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
if (sc->compression == FALSE) { if (sc->compression != TRUE) {
#ifdef SSL_OP_NO_COMPRESSION #ifdef SSL_OP_NO_COMPRESSION
/* OpenSSL >= 1.0 only */ /* OpenSSL >= 1.0 only */
SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);