httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rj...@apache.org
Subject svn commit: r1369585 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_private.h
Date Sun, 05 Aug 2012 13:48:40 GMT
Author: rjung
Date: Sun Aug  5 13:48:40 2012
New Revision: 1369585

URL: http://svn.apache.org/viewvc?rev=1369585&view=rev
Log:
mod_ssl: Add new directive SSLCompression to disable
TLS-level compression.

PR 53219.

Backport of r1345319 and r1348656 from trunk.

Submitted by: Bjoern Jacke <bjoern j3e de>, sf
Reviewed by: rjung, trawick
Backported by: rjung

Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/STATUS
    httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
    httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
    httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
    httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
    httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
  Merged /httpd/httpd/trunk:r1345319,1348656

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1369585&r1=1369584&r2=1369585&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Sun Aug  5 13:48:40 2012
@@ -7,6 +7,9 @@ Changes with Apache 2.4.3
      possible XSS for a site where untrusted users can upload files to
      a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
 
+  *) mod_ssl: Add new directive SSLCompression to disable TLS-level
+     compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
+
   *) mod_lua: Add a few missing request_rec fields. Rename remote_ip to
      client_ip to match conn_rec. [Stefan Fritsch]
 

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1369585&r1=1369584&r2=1369585&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Sun Aug  5 13:48:40 2012
@@ -88,12 +88,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: Add SSLCompression directive.
-     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1345319 and 
-                  http://svn.apache.org/viewvc?view=revision&revision=1348656
-     2.4.x patch: http://people.apache.org/~rjung/patches/ssl-compression-directive-2_4.patch
-     +1: rjung, sf, trawick
-     note: fix httpd compatibility info in docs when backporting
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml?rev=1369585&r1=1369584&r2=1369585&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml Sun Aug  5 13:48:40 2012
@@ -2389,4 +2389,20 @@ be protected with file permissions simil
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SSLCompression</name>
+<description>Disallow compression on the SSL level</description>
+<syntax>SSLCompression on|off</syntax>
+<default>SSLCompression on</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+<compatibility>Available in httpd 2.4.3 and later, if using OpenSSL 0.9.8 or later;
+virtual host scope available if using OpenSSL 1.0.0 or later</compatibility>
+
+<usage>
+<p>This directive allows to disable compression on the SSL level.</p>
+</usage>
+</directivesynopsis>
+
+
 </modulesynopsis>

Modified: httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c?rev=1369585&r1=1369584&r2=1369585&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c Sun Aug  5 13:48:40 2012
@@ -138,6 +138,9 @@ static const command_rec ssl_config_cmds
                 "('[+-][" SSL_PROTOCOLS "] ...' - see manual)")
     SSL_CMD_SRV(HonorCipherOrder, FLAG,
                 "Use the server's cipher ordering preference")
+    SSL_CMD_SRV(Compression, FLAG,
+                "Enable SSL level compression"
+                "(`on', `off')")
     SSL_CMD_SRV(InsecureRenegotiation, FLAG,
                 "Enable support for insecure renegotiation")
     SSL_CMD_ALL(UserName, TAKE1,

Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?rev=1369585&r1=1369584&r2=1369585&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c Sun Aug  5 13:48:40 2012
@@ -207,6 +207,9 @@ static SSLSrvConfigRec *ssl_config_serve
 #ifdef HAVE_FIPS
     sc->fips                   = UNSET;
 #endif
+#ifndef OPENSSL_NO_COMP
+    sc->compression            = UNSET;
+#endif
 
     modssl_ctx_init_proxy(sc, p);
 
@@ -328,6 +331,9 @@ void *ssl_config_server_merge(apr_pool_t
 #ifdef HAVE_FIPS
     cfgMergeBool(fips);
 #endif
+#ifndef OPENSSL_NO_COMP
+    cfgMergeBool(compression);
+#endif
 
     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
 
@@ -663,6 +669,23 @@ static const char *ssl_cmd_check_file(cm
 
 }
 
+const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
+{
+#if !defined(OPENSSL_NO_COMP)
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+#ifndef SSL_OP_NO_COMPRESSION
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+    if (err)
+        return "This version of openssl does not support configuring "
+               "compression within <VirtualHost> sections.";
+#endif
+    sc->compression = flag ? TRUE : FALSE;
+    return NULL;
+#else
+    return "Setting Compression mode unsupported; not implemented by the SSL library";
+#endif
+}
+
 const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
 {
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE

Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1369585&r1=1369584&r2=1369585&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Sun Aug  5 13:48:40 2012
@@ -622,6 +622,18 @@ static void ssl_init_ctx_protocol(server
     }
 #endif
 
+
+#ifndef OPENSSL_NO_COMP
+    if (sc->compression == FALSE) {
+#ifdef SSL_OP_NO_COMPRESSION
+        /* OpenSSL >= 1.0 only */
+        SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
+#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
+        sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
+#endif
+    }
+#endif
+
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
     if (sc->insecure_reneg == TRUE) {
         SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);

Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1369585&r1=1369584&r2=1369585&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Sun Aug  5 13:48:40 2012
@@ -180,6 +180,11 @@
 #define HAVE_TLSV1_X
 #endif
 
+#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
+    && OPENSSL_VERSION_NUMBER < 0x00908000L
+#define OPENSSL_NO_COMP
+#endif
+
 /* mod_ssl headers */
 #include "ssl_util_ssl.h"
 
@@ -673,6 +678,9 @@ struct SSLSrvConfigRec {
 #ifdef HAVE_FIPS
     BOOL             fips;
 #endif
+#ifndef OPENSSL_NO_COMP
+    BOOL             compression;
+#endif
 };
 
 /**
@@ -727,6 +735,7 @@ const char  *ssl_cmd_SSLCARevocationPath
 const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLCARevocationCheck(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
+const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
 const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);



Mime
View raw message