Merge r1400700:

    Change default for SSLCompression to off, as compression
    causes security issues in most setups

Reviewed by sf, fuankg, rjung

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1510043 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 8e3327cc9d62da08569e9ba2cb3687d2fd6495c1..05bba12d88cf171aca32112655fbf898ff266cd9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.26
 
+  *) mod_ssl: Change default for SSLCompression to off, as compression
+     causes security issues in most setups. (The so called "CRIME" attack).
+     [Stefan Fritsch]
+
   *) mod_ssl: Fix compilation error when OpenSSL does not contain
      support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
      [Rainer Jung, Kaspar Brand]

diff --git a/STATUS b/STATUS
index aa746004629dfadfb353d833491fdd23b2315e9c..c4296e1ce606d9643471fc9262f4fa00fb96dd57 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -97,12 +97,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
   
-  * mod_ssl: Change default for SSLCompression to off.
-    trunk patch: http://svn.apache.org/r1400700
-    2.4.x patch: http://svn.apache.org/r1400962
-    2.2.x patch: trunk patch works (except CHANGES and compatibility info in docs)
-    +1: sf, fuankg, rjung
-
   * core: speed up (for common cases) and reduce memory usage of ap_escape_logitem
     This should save 70-100 bytes in the request pool for a default config.
     trunk patch: http://svn.apache.org/r1485409

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 78915fb267ad8290f2f5ec3fab0db9db74c7f483..f4b00b7aaa329f64416c541890b3f32078e747c9 100644 (file)
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -1904,16 +1904,21 @@ supported for a given SSL connection.</p>
 
 <directivesynopsis>
 <name>SSLCompression</name>
-<description>Disallow compression on the SSL level</description>
+<description>Enable compression on the SSL level</description>
 <syntax>SSLCompression on|off</syntax>
-<default>SSLCompression on</default>
+<default>SSLCompression off</default>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
 <compatibility>Available in httpd 2.2.24 and later, if using OpenSSL 0.9.8 or later;
-virtual host scope available if using OpenSSL 1.0.0 or later</compatibility>
+virtual host scope available if using OpenSSL 1.0.0 or later.
+The default used to be <code>on</code> in versions 2.2.24 to 2.2.25.</compatibility>
 
 <usage>
-<p>This directive allows to disable compression on the SSL level.</p>
+<p>This directive allows to enable compression on the SSL level.</p>
+<note type="warning">
+<p>Enabling compression causes security issues in most setups (the so called
+CRIME attack).</p>
+</note>
 </usage>
 </directivesynopsis>
 

diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index e9816fe152a1dbe0a036a76c556165f8f87fb2f1..dcae945cf9638219f752e4c50277595b108eb706 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -535,7 +535,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
 
 
 #ifndef OPENSSL_NO_COMP
-    if (sc->compression == FALSE) {
+    if (sc->compression != TRUE) {
 #ifdef SSL_OP_NO_COMPRESSION
         /* OpenSSL >= 1.0 only */
         SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);