diff options
author | Emilia Kasper <emilia@openssl.org> | 2016-02-02 16:26:38 +0100 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2016-02-03 18:08:16 +0100 |
commit | dc5744cb78da6f2bcafeeefe22c604a51b52dfc5 (patch) | |
tree | d1b336ac5e71896dcfd4217fc4e9c8ec3fd326a2 /ssl | |
parent | 0c20802c6a6008b28bfb0eac67d69f536edc60a7 (diff) | |
download | openssl-dc5744cb78da6f2bcafeeefe22c604a51b52dfc5.tar.gz |
RT3234: disable compression
CRIME protection: disable compression by default, even if OpenSSL is
compiled with zlib enabled. Applications can still enable compression by
calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
the SSL_CONF library to configure compression. SSL_CONF continues to
work as before:
SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.
SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
no-op by default).
The command-line switch has changed from -no_comp to -comp.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_conf.c | 4 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 7 |
2 files changed, 9 insertions, 2 deletions
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 2c40df1593..d0935cf0e5 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -581,7 +581,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_SWITCH("no_tls1_1", 0), SSL_CONF_CMD_SWITCH("no_tls1_2", 0), SSL_CONF_CMD_SWITCH("bugs", 0), - SSL_CONF_CMD_SWITCH("no_comp", 0), + SSL_CONF_CMD_SWITCH("comp", 0), SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("no_ticket", 0), SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER), @@ -640,7 +640,7 @@ static const ssl_switch_tbl ssl_cmd_switches[] = { {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ {SSL_OP_ALL, 0}, /* bugs */ - {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */ + {SSL_OP_NO_COMPRESSION, 1}, /* comp */ {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */ {SSL_OP_NO_TICKET, 0}, /* no_ticket */ {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */ diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a43ec52736..878ff4c1fe 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2362,6 +2362,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) * deployed might change this. */ ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + /* + * Disable compression by default to prevent CRIME. Applications can + * re-enable compression by configuring + * SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION); + * or by using the SSL_CONF library. + */ + ret->options |= SSL_OP_NO_COMPRESSION; return (ret); err: |