You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2012/10/22 19:16:05 UTC

svn commit: r1400962 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_init.c

Author: jim
Date: Mon Oct 22 17:16:04 2012
New Revision: 1400962

URL: http://svn.apache.org/viewvc?rev=1400962&view=rev
Log:
Merge r1400700 from trunk:

Change default for SSLCompression to off, as compression
causes security issues in most setups

Submitted by: sf
Reviewed/backported by: jim

Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/STATUS
    httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
    httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1400700

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1400962&r1=1400961&r2=1400962&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Oct 22 17:16:04 2012
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.4.4
  
+  *) mod_ssl: Change default for SSLCompression to off, as compression
+     causes security issues in most setups. (The so called "CRIME" attack).
+     [Stefan Fritsch]
+
   *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
      to more accurately report the negotiated protocol. PR 53916.
      [Nicolás Pernas Maradei <nico emutex com>, Kaspar Brand]

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1400962&r1=1400961&r2=1400962&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Mon Oct 22 17:16:04 2012
@@ -89,10 +89,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: Change default for SSLCompression to off.
-     trunk patch: http://svn.apache.org/viewvc?rev=1400700&view=rev
-     2.4.x patch: trunk patch works (except CHANGES)
-     +1: sf, covener, jim
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml?rev=1400962&r1=1400961&r2=1400962&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml Mon Oct 22 17:16:04 2012
@@ -2391,16 +2391,21 @@ be protected with file permissions simil
 
 <directivesynopsis>
 <name>SSLCompression</name>
-<description>Disallow compression on the SSL level</description>
+<description>Enable compression on the SSL level</description>
 <syntax>SSLCompression on|off</syntax>
-<default>SSLCompression on</default>
+<default>SSLCompression off</default>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
 <compatibility>Available in httpd 2.4.3 and later, if using OpenSSL 0.9.8 or later;
-virtual host scope available if using OpenSSL 1.0.0 or later</compatibility>
+virtual host scope available if using OpenSSL 1.0.0 or later.
+The default used to be <code>on</code> in version 2.4.3.</compatibility>
 
 <usage>
-<p>This directive allows to disable compression on the SSL level.</p>
+<p>This directive allows to enable compression on the SSL level.</p>
+<note type="warning">
+<p>Enabling compression causes security issues in most setups (the so called
+CRIME attack).</p>
+</note>
 </usage>
 </directivesynopsis>
 

Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1400962&r1=1400961&r2=1400962&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Mon Oct 22 17:16:04 2012
@@ -624,7 +624,7 @@ static void ssl_init_ctx_protocol(server
 
 
 #ifndef OPENSSL_NO_COMP
-    if (sc->compression == FALSE) {
+    if (sc->compression != TRUE) {
 #ifdef SSL_OP_NO_COMPRESSION
         /* OpenSSL >= 1.0 only */
         SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);