You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2012/10/21 21:15:44 UTC
svn commit: r1400700 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_init.c
Author: sf
Date: Sun Oct 21 19:15:43 2012
New Revision: 1400700
URL: http://svn.apache.org/viewvc?rev=1400700&view=rev
Log:
Change default for SSLCompression to off, as compression
causes security issues in most setups
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1400700&r1=1400699&r2=1400700&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Oct 21 19:15:43 2012
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: Change default for SSLCompression to off, as compression
+ causes security issues in most setups. (The so called "CRIME" attack).
+ [Stefan Fritsch]
+
*) syslog logging: Remove stray ", referer" at the end of some messages.
[Jeff Trawick]
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1400700&r1=1400699&r2=1400700&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Sun Oct 21 19:15:43 2012
@@ -2446,16 +2446,21 @@ be protected with file permissions simil
<directivesynopsis>
<name>SSLCompression</name>
-<description>Disallow compression on the SSL level</description>
+<description>Enable compression on the SSL level</description>
<syntax>SSLCompression on|off</syntax>
-<default>SSLCompression on</default>
+<default>SSLCompression off</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<compatibility>Available in httpd 2.4.3 and later, if using OpenSSL 0.9.8 or later;
-virtual host scope available if using OpenSSL 1.0.0 or later</compatibility>
+virtual host scope available if using OpenSSL 1.0.0 or later.
+The default used to be <code>on</code> in version 2.4.3.</compatibility>
<usage>
-<p>This directive allows to disable compression on the SSL level.</p>
+<p>This directive allows to enable compression on the SSL level.</p>
+<note type="warning">
+<p>Enabling compression causes security issues in most setups (the so called
+CRIME attack).</p>
+</note>
</usage>
</directivesynopsis>
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1400700&r1=1400699&r2=1400700&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sun Oct 21 19:15:43 2012
@@ -656,7 +656,7 @@ static void ssl_init_ctx_protocol(server
#ifndef OPENSSL_NO_COMP
- if (sc->compression == FALSE) {
+ if (sc->compression != TRUE) {
#ifdef SSL_OP_NO_COMPRESSION
/* OpenSSL >= 1.0 only */
SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);