From: Stefan Fritsch <sf@apache.org>
Date: Sat, 3 Aug 2013 17:32:12 +0000 (+0000)
Subject: Merge r1400700:
X-Git-Tag: 2.2.26~37
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d841a43b52bc2b32bb1e19f74e4b8afbb49a62b;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1400700:

    Change default for SSLCompression to off, as compression
    causes security issues in most setups

Reviewed by sf, fuankg, rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1510043 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 8e3327cc9d6..05bba12d88c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.26
 
+  *) mod_ssl: Change default for SSLCompression to off, as compression
+     causes security issues in most setups. (The so called "CRIME" attack).
+     [Stefan Fritsch]
+
   *) mod_ssl: Fix compilation error when OpenSSL does not contain
      support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
      [Rainer Jung, Kaspar Brand]
diff --git a/STATUS b/STATUS
index aa746004629..c4296e1ce60 100644
--- a/STATUS
+++ b/STATUS
@@ -97,12 +97,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
   
-  * mod_ssl: Change default for SSLCompression to off.
-    trunk patch: http://svn.apache.org/r1400700
-    2.4.x patch: http://svn.apache.org/r1400962
-    2.2.x patch: trunk patch works (except CHANGES and compatibility info in docs)
-    +1: sf, fuankg, rjung
-
   * core: speed up (for common cases) and reduce memory usage of ap_escape_logitem
     This should save 70-100 bytes in the request pool for a default config.
     trunk patch: http://svn.apache.org/r1485409
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 78915fb267a..f4b00b7aaa3 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -1904,16 +1904,21 @@ supported for a given SSL connection.</p>
 
 <directivesynopsis>
 <name>SSLCompression</name>
-<description>Disallow compression on the SSL level</description>
+<description>Enable compression on the SSL level</description>
 <syntax>SSLCompression on|off</syntax>
-<default>SSLCompression on</default>
+<default>SSLCompression off</default>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
 <compatibility>Available in httpd 2.2.24 and later, if using OpenSSL 0.9.8 or later;
-virtual host scope available if using OpenSSL 1.0.0 or later</compatibility>
+virtual host scope available if using OpenSSL 1.0.0 or later.
+The default used to be <code>on</code> in versions 2.2.24 to 2.2.25.</compatibility>
 
 <usage>
-<p>This directive allows to disable compression on the SSL level.</p>
+<p>This directive allows to enable compression on the SSL level.</p>
+<note type="warning">
+<p>Enabling compression causes security issues in most setups (the so called
+CRIME attack).</p>
+</note>
 </usage>
 </directivesynopsis>
 
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index e9816fe152a..dcae945cf96 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -535,7 +535,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
 
 
 #ifndef OPENSSL_NO_COMP
-    if (sc->compression == FALSE) {
+    if (sc->compression != TRUE) {
 #ifdef SSL_OP_NO_COMPRESSION
         /* OpenSSL >= 1.0 only */
         SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);