-*- coding: utf-8 -*-
Changes with Apache 2.2.24
-
+ *) mod_ssl: Add new directive SSLCompression to disable TLS-level
+ compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
Changes with Apache 2.2.23
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>SSLCompression</name>
+<description>Disallow compression on the SSL level</description>
+<syntax>SSLCompression on|off</syntax>
+<default>SSLCompression on</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.2.24 and later, if using OpenSSL 0.9.8 or later;
+virtual host scope available if using OpenSSL 1.0.0 or later</compatibility>
+
+<usage>
+<p>This directive allows to disable compression on the SSL level.</p>
+</usage>
+</directivesynopsis>
+
+
</modulesynopsis>
"('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
SSL_CMD_SRV(HonorCipherOrder, FLAG,
"Use the server's cipher ordering preference")
+ SSL_CMD_SRV(Compression, FLAG,
+ "Enable SSL level compression"
+ "(`on', `off')")
SSL_CMD_SRV(InsecureRenegotiation, FLAG,
"Enable support for insecure renegotiation")
SSL_CMD_ALL(UserName, TAKE1,
#ifdef HAVE_FIPS
sc->fips = UNSET;
#endif
+#ifndef OPENSSL_NO_COMP
+ sc->compression = UNSET;
+#endif
modssl_ctx_init_proxy(sc, p);
#ifdef HAVE_FIPS
cfgMergeBool(fips);
#endif
+#ifndef OPENSSL_NO_COMP
+ cfgMergeBool(compression);
+#endif
modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
}
+const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
+{
+#if !defined(OPENSSL_NO_COMP)
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+#ifndef SSL_OP_NO_COMPRESSION
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err)
+ return "This version of openssl does not support configuring "
+ "compression within <VirtualHost> sections.";
+#endif
+ sc->compression = flag ? TRUE : FALSE;
+ return NULL;
+#else
+ return "Setting Compression mode unsupported; not implemented by the SSL library";
+#endif
+}
+
const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
{
#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
}
#endif
+
+#ifndef OPENSSL_NO_COMP
+ if (sc->compression == FALSE) {
+#ifdef SSL_OP_NO_COMPRESSION
+ /* OpenSSL >= 1.0 only */
+ SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
+#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
+ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
+#endif
+ }
+#endif
+
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
if (sc->insecure_reneg == TRUE) {
SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
#define HAVE_TLSV1_X
#endif
+#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
+ && OPENSSL_VERSION_NUMBER < 0x00908000L
+#define OPENSSL_NO_COMP
+#endif
+
#include "ssl_util_ssl.h"
/** The #ifdef macros are only defined AFTER including the above
#ifdef HAVE_FIPS
BOOL fips;
#endif
+#ifndef OPENSSL_NO_COMP
+ BOOL compression;
+#endif
};
/**
const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
projects / thirdparty / apache / httpd.git / commitdiff
