source: trunk/server/common/patches/httpd-SSLCompression.patch @ 2375

Last change on this file since 2375 was 2321, checked in by geofft, 13 years ago
Disable SSL compression to defend against rumored side-channel attack
File size: 4.5 KB
RevLine 
[2321]1Description: mod_ssl: Add new directive SSLCompression to disable TLS-level compression.
2Origin: http://svn.apache.org/viewvc?view=revision&revision=1369585
3
4diff -Naur httpd-2.2.22/modules/ssl/mod_ssl.c httpd-2.2.22.patched/modules/ssl/mod_ssl.c
5--- httpd-2.2.22/modules/ssl/mod_ssl.c  2010-07-12 14:47:45.000000000 -0400
6+++ httpd-2.2.22.patched/modules/ssl/mod_ssl.c  2012-09-12 17:10:57.417861707 -0400
7@@ -146,6 +146,9 @@
8                 "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
9     SSL_CMD_SRV(HonorCipherOrder, FLAG,
10                 "Use the server's cipher ordering preference")
11+    SSL_CMD_SRV(Compression, FLAG,
12+                "Enable SSL level compression"
13+                "(`on', `off')")
14     SSL_CMD_SRV(InsecureRenegotiation, FLAG,
15                 "Enable support for insecure renegotiation")
16     SSL_CMD_ALL(UserName, TAKE1,
17diff -Naur httpd-2.2.22/modules/ssl/ssl_engine_config.c httpd-2.2.22.patched/modules/ssl/ssl_engine_config.c
18--- httpd-2.2.22/modules/ssl/ssl_engine_config.c        2011-04-14 09:56:17.000000000 -0400
19+++ httpd-2.2.22.patched/modules/ssl/ssl_engine_config.c        2012-09-12 17:10:57.425862035 -0400
20@@ -178,6 +178,9 @@
21 #ifdef HAVE_FIPS
22     sc->fips                   = UNSET;
23 #endif
24+#ifndef OPENSSL_NO_COMP
25+    sc->compression            = UNSET;
26+#endif
27 
28     modssl_ctx_init_proxy(sc, p);
29 
30@@ -275,6 +278,9 @@
31 #ifdef HAVE_FIPS
32     cfgMergeBool(fips);
33 #endif
34+#ifndef OPENSSL_NO_COMP
35+    cfgMergeBool(compression);
36+#endif
37 
38     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
39 
40@@ -708,6 +714,23 @@
41 
42 }
43 
44+const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
45+{
46+#if !defined(OPENSSL_NO_COMP)
47+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
48+#ifndef SSL_OP_NO_COMPRESSION
49+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
50+    if (err)
51+        return "This version of openssl does not support configuring "
52+               "compression within <VirtualHost> sections.";
53+#endif
54+    sc->compression = flag ? TRUE : FALSE;
55+    return NULL;
56+#else
57+    return "Setting Compression mode unsupported; not implemented by the SSL library";
58+#endif
59+}
60+
61 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
62 {
63 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
64diff -Naur httpd-2.2.22/modules/ssl/ssl_engine_init.c httpd-2.2.22.patched/modules/ssl/ssl_engine_init.c
65--- httpd-2.2.22/modules/ssl/ssl_engine_init.c  2011-04-14 09:56:17.000000000 -0400
66+++ httpd-2.2.22.patched/modules/ssl/ssl_engine_init.c  2012-09-12 17:10:57.419861789 -0400
67@@ -503,6 +503,18 @@
68     }
69 #endif
70 
71+
72+#ifndef OPENSSL_NO_COMP
73+    if (sc->compression == FALSE) {
74+#ifdef SSL_OP_NO_COMPRESSION
75+        /* OpenSSL >= 1.0 only */
76+        SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
77+#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
78+        sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
79+#endif
80+    }
81+#endif
82+
83 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
84     if (sc->insecure_reneg == TRUE) {
85         SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
86diff -Naur httpd-2.2.22/modules/ssl/ssl_private.h httpd-2.2.22.patched/modules/ssl/ssl_private.h
87--- httpd-2.2.22/modules/ssl/ssl_private.h      2011-04-14 09:56:17.000000000 -0400
88+++ httpd-2.2.22.patched/modules/ssl/ssl_private.h      2012-09-12 18:11:48.762900287 -0400
89@@ -486,6 +486,9 @@
90 #ifdef HAVE_FIPS
91     BOOL             fips;
92 #endif
93+#ifndef OPENSSL_NO_COMP
94+    BOOL             compression;
95+#endif
96 };
97 
98 /**
99@@ -542,6 +545,7 @@
100 const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
101 const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
102 const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
103+const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
104 const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
105 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
106 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
107diff -Naur httpd-2.2.22/modules/ssl/ssl_toolkit_compat.h httpd-2.2.22.patched/modules/ssl/ssl_toolkit_compat.h
108--- httpd-2.2.22/modules/ssl/ssl_toolkit_compat.h       2010-07-12 14:47:45.000000000 -0400
109+++ httpd-2.2.22.patched/modules/ssl/ssl_toolkit_compat.h       2012-09-12 18:12:09.982772267 -0400
110@@ -276,6 +276,11 @@
111 #endif
112 #endif
113 
114+#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
115+    && OPENSSL_VERSION_NUMBER < 0x00908000L
116+#define OPENSSL_NO_COMP
117+#endif
118+
119 #endif /* SSL_TOOLKIT_COMPAT_H */
120 
121 /** @} */
Note: See TracBrowser for help on using the repository browser.