generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

RT3234: disable compression

Browse Source 
CRIME protection: disable compression by default, even if OpenSSL is
compiled with zlib enabled. Applications can still enable compression by
calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
the SSL_CONF library to configure compression. SSL_CONF continues to
work as before:

SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.

SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
no-op by default).

The command-line switch has changed from -no_comp to -comp.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Emilia Kasper
2016-02-02 16:26:38 +01:00
parent 0c20802c6a
commit dc5744cb78
6 changed files with 25 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ssl/ssl_conf.c
View File

@@ -581,7 +581,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
SSL_CONF_CMD_SWITCH("no_tls1_1", 0),
SSL_CONF_CMD_SWITCH("no_tls1_2", 0),
SSL_CONF_CMD_SWITCH("bugs", 0),
SSL_CONF_CMD_SWITCH("no_comp", 0),
SSL_CONF_CMD_SWITCH("comp", 0),
SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("no_ticket", 0),
SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
@@ -640,7 +640,7 @@ static const ssl_switch_tbl ssl_cmd_switches[] = {
{SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */
{SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */
{SSL_OP_ALL, 0}, /* bugs */
{SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
{SSL_OP_NO_COMPRESSION, 1}, /* comp */
{SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
{SSL_OP_NO_TICKET, 0}, /* no_ticket */
{SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */

7
ssl/ssl_lib.c
View File

@@ -2362,6 +2362,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
* deployed might change this.
*/
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
/*
* Disable compression by default to prevent CRIME. Applications can
* re-enable compression by configuring
* SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION);
* or by using the SSL_CONF library.
*/
ret->options |= SSL_OP_NO_COMPRESSION;
return (ret);
err: