You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/07/06 17:16:31 UTC

svn commit: r209469 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl.xml docs/manual/ssl/ssl_faq.xml modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_engine_vars.c

Author: wrowe
Date: Wed Jul  6 08:16:28 2005
New Revision: 209469

URL: http://svn.apache.org/viewcvs?rev=209469&view=rev
Log:

  Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note
  the negotiated compression.

Reviewed by: wrowe, Maxime Petazzoni
Submitted by: Georg v. Zezschwitz <gvz 2scale.de>

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
    httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=209469&r1=209468&r2=209469&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Wed Jul  6 08:16:28 2005
@@ -65,6 +65,7 @@
 <tr><td><code>SSL_CIPHER_EXPORT</code></td>             <td>string</td>    <td><code>true</code> if cipher is an export cipher</td></tr>
 <tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td>         <td>number</td>    <td>Number of cipher bits (actually used)</td></tr>
 <tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td>         <td>number</td>    <td>Number of cipher bits (possible)</td></tr>
+<tr><td><code>SSL_COMPRESS_METHOD</code></td>           <td>string</td>    <td>SSL compression method negotiated</td></tr>
 <tr><td><code>SSL_VERSION_INTERFACE</code></td>         <td>string</td>    <td>The mod_ssl program version</td></tr>
 <tr><td><code>SSL_VERSION_LIBRARY</code></td>           <td>string</td>    <td>The OpenSSL program version</td></tr>
 <tr><td><code>SSL_CLIENT_M_VERSION</code></td>          <td>string</td>    <td>The version of the client certificate</td></tr>

Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml?rev=209469&r1=209468&r2=209469&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml Wed Jul  6 08:16:28 2005
@@ -680,6 +680,7 @@
 <li><a href="#vhosts">HTTPS and name-based vhosts</a></li>
 <li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual
 Hosting to identify different SSL virtual hosts?</a></li>
+<li><a href="#comp">How do I get SSL compression working?</a></li>
 <li><a href="#lockicon">The lock icon in Netscape locks very late</a></li>
 <li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li>
 <li><a href="#nn">Why do I get I/O errors with NS clients?</a></li>
@@ -802,6 +803,23 @@
 
     <p>Use separate IP addresses for different SSL hosts. 
     Use different port numbers for different SSL hosts.</p> 
+</section>
+
+<section id="comp"><title>How do I get SSL compression working?</title>
+<p>Although SSL compression negotiation was already defined in the specification
+of SSLv2 and TLS, it took until May 2004 when RFC 3749 defined DEFLATE as
+a negotiable standard compression method.
+</p>
+<p>OpenSSL 0.9.8 started to support this by default when compiled with the
+<code>zlib</code> option. If both the client and the server support compression,
+it will be used. However, most clients still try to initially connect with an
+SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms
+in its handshake, compression can not be negotiated with these clients.
+If the client disables support for SSLv2, based on the used SSL library 
+a SSLv3 or TLS Hello might be sent and compression might be set up.
+You can verify if clients make use of SSL compression by logging the
+<code>%{SSL_COMPRESS_METHOD}x</code> variable.
+</p>
 </section>
 
 <section id="lockicon"><title>When I use Basic Authentication over HTTPS the lock icon in Netscape browsers

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=209469&r1=209468&r2=209469&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Wed Jul  6 08:16:28 2005
@@ -946,6 +946,7 @@
     "SSL_VERSION_INTERFACE",
     "SSL_VERSION_LIBRARY",
     "SSL_PROTOCOL",
+    "SSL_COMPRESS_METHOD",
     "SSL_CIPHER",
     "SSL_CIPHER_EXPORT",
     "SSL_CIPHER_USEKEYSIZE",

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=209469&r1=209468&r2=209469&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Wed Jul  6 08:16:28 2005
@@ -50,6 +50,7 @@
 static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
 static void  ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
 static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
+static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
 
 static int ssl_is_https(conn_rec *c)
 {
@@ -296,6 +297,9 @@
         if ((xs = SSL_get_certificate(ssl)) != NULL)
             result = ssl_var_lookup_ssl_cert(p, xs, var+7);
     }
+    else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
+        result = ssl_var_lookup_ssl_compress_meth(ssl);
+    }
     return result;
 }
 
@@ -708,6 +712,39 @@
     }
 
     ERR_clear_error();
+    return result;
+}
+
+static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
+{
+    char *result = "NULL";
+#ifdef OPENSSL_VERSION_NUMBER
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+    SSL_SESSION *pSession = SSL_get_session(ssl);
+
+    if (pSession) {
+        switch (pSession->compress_meth) {
+        case 0:
+            /* default "NULL" already set */
+            break;
+
+            /* Defined by RFC 3749, deflate is coded by "1" */
+        case 1:
+            result = "DEFLATE";
+            break;
+
+            /* IANA assigned compression number for LZS */
+        case 0x40:
+            result = "LZS";
+            break;
+
+        default:
+            result = "UNKNOWN";
+            break;
+        }
+    }
+#endif
+#endif
     return result;
 }