[2321] | 1 | Description: mod_ssl: Add new directive SSLCompression to disable TLS-level compression. |
---|
| 2 | Origin: http://svn.apache.org/viewvc?view=revision&revision=1369585 |
---|
| 3 | |
---|
[2377] | 4 | diff -r -U3 httpd-2.2.23/modules/ssl/mod_ssl.c httpd-2.2.23.patched/modules/ssl/mod_ssl.c |
---|
| 5 | --- httpd-2.2.23/modules/ssl/mod_ssl.c 2013-02-14 18:32:59.360289681 -0500 |
---|
| 6 | +++ httpd-2.2.23.patched/modules/ssl/mod_ssl.c 2013-02-14 18:34:22.670718893 -0500 |
---|
| 7 | @@ -158,6 +158,9 @@ |
---|
| 8 | "('[+-][" SSL_PROTOCOLS "] ...' - see manual)") |
---|
[2321] | 9 | SSL_CMD_SRV(HonorCipherOrder, FLAG, |
---|
| 10 | "Use the server's cipher ordering preference") |
---|
| 11 | + SSL_CMD_SRV(Compression, FLAG, |
---|
| 12 | + "Enable SSL level compression" |
---|
| 13 | + "(`on', `off')") |
---|
| 14 | SSL_CMD_SRV(InsecureRenegotiation, FLAG, |
---|
| 15 | "Enable support for insecure renegotiation") |
---|
| 16 | SSL_CMD_ALL(UserName, TAKE1, |
---|
[2377] | 17 | diff -r -U3 httpd-2.2.23/modules/ssl/ssl_engine_config.c httpd-2.2.23.patched/modules/ssl/ssl_engine_config.c |
---|
| 18 | --- httpd-2.2.23/modules/ssl/ssl_engine_config.c 2013-02-14 18:32:59.358289719 -0500 |
---|
| 19 | +++ httpd-2.2.23.patched/modules/ssl/ssl_engine_config.c 2013-02-14 18:34:22.672718856 -0500 |
---|
| 20 | @@ -183,6 +183,9 @@ |
---|
[2321] | 21 | #ifdef HAVE_FIPS |
---|
| 22 | sc->fips = UNSET; |
---|
| 23 | #endif |
---|
| 24 | +#ifndef OPENSSL_NO_COMP |
---|
| 25 | + sc->compression = UNSET; |
---|
| 26 | +#endif |
---|
| 27 | |
---|
| 28 | modssl_ctx_init_proxy(sc, p); |
---|
| 29 | |
---|
[2377] | 30 | @@ -281,6 +284,9 @@ |
---|
[2321] | 31 | #ifdef HAVE_FIPS |
---|
| 32 | cfgMergeBool(fips); |
---|
| 33 | #endif |
---|
| 34 | +#ifndef OPENSSL_NO_COMP |
---|
| 35 | + cfgMergeBool(compression); |
---|
| 36 | +#endif |
---|
| 37 | |
---|
| 38 | modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); |
---|
| 39 | |
---|
[2377] | 40 | @@ -714,6 +720,23 @@ |
---|
[2321] | 41 | |
---|
| 42 | } |
---|
| 43 | |
---|
| 44 | +const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag) |
---|
| 45 | +{ |
---|
| 46 | +#if !defined(OPENSSL_NO_COMP) |
---|
| 47 | + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); |
---|
| 48 | +#ifndef SSL_OP_NO_COMPRESSION |
---|
| 49 | + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); |
---|
| 50 | + if (err) |
---|
| 51 | + return "This version of openssl does not support configuring " |
---|
| 52 | + "compression within <VirtualHost> sections."; |
---|
| 53 | +#endif |
---|
| 54 | + sc->compression = flag ? TRUE : FALSE; |
---|
| 55 | + return NULL; |
---|
| 56 | +#else |
---|
| 57 | + return "Setting Compression mode unsupported; not implemented by the SSL library"; |
---|
| 58 | +#endif |
---|
| 59 | +} |
---|
| 60 | + |
---|
| 61 | const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag) |
---|
| 62 | { |
---|
| 63 | #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE |
---|
[2377] | 64 | Only in httpd-2.2.23.patched/modules/ssl: ssl_engine_config.c.orig |
---|
| 65 | diff -r -U3 httpd-2.2.23/modules/ssl/ssl_engine_init.c httpd-2.2.23.patched/modules/ssl/ssl_engine_init.c |
---|
| 66 | --- httpd-2.2.23/modules/ssl/ssl_engine_init.c 2013-02-14 18:32:59.358289719 -0500 |
---|
| 67 | +++ httpd-2.2.23.patched/modules/ssl/ssl_engine_init.c 2013-02-14 18:34:22.672718856 -0500 |
---|
| 68 | @@ -542,6 +542,18 @@ |
---|
[2321] | 69 | } |
---|
| 70 | #endif |
---|
| 71 | |
---|
| 72 | + |
---|
| 73 | +#ifndef OPENSSL_NO_COMP |
---|
| 74 | + if (sc->compression == FALSE) { |
---|
| 75 | +#ifdef SSL_OP_NO_COMPRESSION |
---|
| 76 | + /* OpenSSL >= 1.0 only */ |
---|
| 77 | + SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); |
---|
| 78 | +#elif OPENSSL_VERSION_NUMBER >= 0x00908000L |
---|
| 79 | + sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); |
---|
| 80 | +#endif |
---|
| 81 | + } |
---|
| 82 | +#endif |
---|
| 83 | + |
---|
| 84 | #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
---|
| 85 | if (sc->insecure_reneg == TRUE) { |
---|
| 86 | SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); |
---|
[2377] | 87 | Only in httpd-2.2.23.patched/modules/ssl: ssl_engine_init.c.orig |
---|
| 88 | diff -r -U3 httpd-2.2.23/modules/ssl/ssl_private.h httpd-2.2.23.patched/modules/ssl/ssl_private.h |
---|
| 89 | --- httpd-2.2.23/modules/ssl/ssl_private.h 2013-02-14 18:32:59.357289737 -0500 |
---|
| 90 | +++ httpd-2.2.23.patched/modules/ssl/ssl_private.h 2013-02-14 18:34:22.673718837 -0500 |
---|
| 91 | @@ -507,6 +507,9 @@ |
---|
[2321] | 92 | #ifdef HAVE_FIPS |
---|
| 93 | BOOL fips; |
---|
| 94 | #endif |
---|
| 95 | +#ifndef OPENSSL_NO_COMP |
---|
| 96 | + BOOL compression; |
---|
| 97 | +#endif |
---|
| 98 | }; |
---|
| 99 | |
---|
| 100 | /** |
---|
[2377] | 101 | @@ -563,6 +566,7 @@ |
---|
[2321] | 102 | const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); |
---|
| 103 | const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); |
---|
| 104 | const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); |
---|
| 105 | +const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); |
---|
| 106 | const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); |
---|
| 107 | const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); |
---|
| 108 | const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); |
---|
[2377] | 109 | Only in httpd-2.2.23.patched/modules/ssl: ssl_private.h.orig |
---|
| 110 | diff -r -U3 httpd-2.2.23/modules/ssl/ssl_toolkit_compat.h httpd-2.2.23.patched/modules/ssl/ssl_toolkit_compat.h |
---|
| 111 | --- httpd-2.2.23/modules/ssl/ssl_toolkit_compat.h 2012-08-17 13:30:46.000000000 -0400 |
---|
| 112 | +++ httpd-2.2.23.patched/modules/ssl/ssl_toolkit_compat.h 2013-02-14 18:34:22.674718818 -0500 |
---|
| 113 | @@ -277,6 +277,11 @@ |
---|
[2321] | 114 | #endif |
---|
| 115 | #endif |
---|
| 116 | |
---|
| 117 | +#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ |
---|
| 118 | + && OPENSSL_VERSION_NUMBER < 0x00908000L |
---|
| 119 | +#define OPENSSL_NO_COMP |
---|
| 120 | +#endif |
---|
| 121 | + |
---|
| 122 | #endif /* SSL_TOOLKIT_COMPAT_H */ |
---|
| 123 | |
---|
| 124 | /** @} */ |
---|
[2377] | 125 | Only in httpd-2.2.23.patched/modules/ssl: ssl_toolkit_compat.h.orig |
---|