[2321] | 1 | Description: mod_ssl: Add new directive SSLCompression to disable TLS-level compression. |
---|
| 2 | Origin: http://svn.apache.org/viewvc?view=revision&revision=1369585 |
---|
| 3 | |
---|
| 4 | diff -Naur httpd-2.2.22/modules/ssl/mod_ssl.c httpd-2.2.22.patched/modules/ssl/mod_ssl.c |
---|
| 5 | --- httpd-2.2.22/modules/ssl/mod_ssl.c 2010-07-12 14:47:45.000000000 -0400 |
---|
| 6 | +++ httpd-2.2.22.patched/modules/ssl/mod_ssl.c 2012-09-12 17:10:57.417861707 -0400 |
---|
| 7 | @@ -146,6 +146,9 @@ |
---|
| 8 | "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") |
---|
| 9 | SSL_CMD_SRV(HonorCipherOrder, FLAG, |
---|
| 10 | "Use the server's cipher ordering preference") |
---|
| 11 | + SSL_CMD_SRV(Compression, FLAG, |
---|
| 12 | + "Enable SSL level compression" |
---|
| 13 | + "(`on', `off')") |
---|
| 14 | SSL_CMD_SRV(InsecureRenegotiation, FLAG, |
---|
| 15 | "Enable support for insecure renegotiation") |
---|
| 16 | SSL_CMD_ALL(UserName, TAKE1, |
---|
| 17 | diff -Naur httpd-2.2.22/modules/ssl/ssl_engine_config.c httpd-2.2.22.patched/modules/ssl/ssl_engine_config.c |
---|
| 18 | --- httpd-2.2.22/modules/ssl/ssl_engine_config.c 2011-04-14 09:56:17.000000000 -0400 |
---|
| 19 | +++ httpd-2.2.22.patched/modules/ssl/ssl_engine_config.c 2012-09-12 17:10:57.425862035 -0400 |
---|
| 20 | @@ -178,6 +178,9 @@ |
---|
| 21 | #ifdef HAVE_FIPS |
---|
| 22 | sc->fips = UNSET; |
---|
| 23 | #endif |
---|
| 24 | +#ifndef OPENSSL_NO_COMP |
---|
| 25 | + sc->compression = UNSET; |
---|
| 26 | +#endif |
---|
| 27 | |
---|
| 28 | modssl_ctx_init_proxy(sc, p); |
---|
| 29 | |
---|
| 30 | @@ -275,6 +278,9 @@ |
---|
| 31 | #ifdef HAVE_FIPS |
---|
| 32 | cfgMergeBool(fips); |
---|
| 33 | #endif |
---|
| 34 | +#ifndef OPENSSL_NO_COMP |
---|
| 35 | + cfgMergeBool(compression); |
---|
| 36 | +#endif |
---|
| 37 | |
---|
| 38 | modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); |
---|
| 39 | |
---|
| 40 | @@ -708,6 +714,23 @@ |
---|
| 41 | |
---|
| 42 | } |
---|
| 43 | |
---|
| 44 | +const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag) |
---|
| 45 | +{ |
---|
| 46 | +#if !defined(OPENSSL_NO_COMP) |
---|
| 47 | + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); |
---|
| 48 | +#ifndef SSL_OP_NO_COMPRESSION |
---|
| 49 | + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); |
---|
| 50 | + if (err) |
---|
| 51 | + return "This version of openssl does not support configuring " |
---|
| 52 | + "compression within <VirtualHost> sections."; |
---|
| 53 | +#endif |
---|
| 54 | + sc->compression = flag ? TRUE : FALSE; |
---|
| 55 | + return NULL; |
---|
| 56 | +#else |
---|
| 57 | + return "Setting Compression mode unsupported; not implemented by the SSL library"; |
---|
| 58 | +#endif |
---|
| 59 | +} |
---|
| 60 | + |
---|
| 61 | const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag) |
---|
| 62 | { |
---|
| 63 | #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE |
---|
| 64 | diff -Naur httpd-2.2.22/modules/ssl/ssl_engine_init.c httpd-2.2.22.patched/modules/ssl/ssl_engine_init.c |
---|
| 65 | --- httpd-2.2.22/modules/ssl/ssl_engine_init.c 2011-04-14 09:56:17.000000000 -0400 |
---|
| 66 | +++ httpd-2.2.22.patched/modules/ssl/ssl_engine_init.c 2012-09-12 17:10:57.419861789 -0400 |
---|
| 67 | @@ -503,6 +503,18 @@ |
---|
| 68 | } |
---|
| 69 | #endif |
---|
| 70 | |
---|
| 71 | + |
---|
| 72 | +#ifndef OPENSSL_NO_COMP |
---|
| 73 | + if (sc->compression == FALSE) { |
---|
| 74 | +#ifdef SSL_OP_NO_COMPRESSION |
---|
| 75 | + /* OpenSSL >= 1.0 only */ |
---|
| 76 | + SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); |
---|
| 77 | +#elif OPENSSL_VERSION_NUMBER >= 0x00908000L |
---|
| 78 | + sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); |
---|
| 79 | +#endif |
---|
| 80 | + } |
---|
| 81 | +#endif |
---|
| 82 | + |
---|
| 83 | #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
---|
| 84 | if (sc->insecure_reneg == TRUE) { |
---|
| 85 | SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); |
---|
| 86 | diff -Naur httpd-2.2.22/modules/ssl/ssl_private.h httpd-2.2.22.patched/modules/ssl/ssl_private.h |
---|
| 87 | --- httpd-2.2.22/modules/ssl/ssl_private.h 2011-04-14 09:56:17.000000000 -0400 |
---|
| 88 | +++ httpd-2.2.22.patched/modules/ssl/ssl_private.h 2012-09-12 18:11:48.762900287 -0400 |
---|
| 89 | @@ -486,6 +486,9 @@ |
---|
| 90 | #ifdef HAVE_FIPS |
---|
| 91 | BOOL fips; |
---|
| 92 | #endif |
---|
| 93 | +#ifndef OPENSSL_NO_COMP |
---|
| 94 | + BOOL compression; |
---|
| 95 | +#endif |
---|
| 96 | }; |
---|
| 97 | |
---|
| 98 | /** |
---|
| 99 | @@ -542,6 +545,7 @@ |
---|
| 100 | const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); |
---|
| 101 | const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); |
---|
| 102 | const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); |
---|
| 103 | +const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); |
---|
| 104 | const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); |
---|
| 105 | const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); |
---|
| 106 | const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); |
---|
| 107 | diff -Naur httpd-2.2.22/modules/ssl/ssl_toolkit_compat.h httpd-2.2.22.patched/modules/ssl/ssl_toolkit_compat.h |
---|
| 108 | --- httpd-2.2.22/modules/ssl/ssl_toolkit_compat.h 2010-07-12 14:47:45.000000000 -0400 |
---|
| 109 | +++ httpd-2.2.22.patched/modules/ssl/ssl_toolkit_compat.h 2012-09-12 18:12:09.982772267 -0400 |
---|
| 110 | @@ -276,6 +276,11 @@ |
---|
| 111 | #endif |
---|
| 112 | #endif |
---|
| 113 | |
---|
| 114 | +#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ |
---|
| 115 | + && OPENSSL_VERSION_NUMBER < 0x00908000L |
---|
| 116 | +#define OPENSSL_NO_COMP |
---|
| 117 | +#endif |
---|
| 118 | + |
---|
| 119 | #endif /* SSL_TOOLKIT_COMPAT_H */ |
---|
| 120 | |
---|
| 121 | /** @} */ |
---|