Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 11F73D2DC for ; Mon, 22 Oct 2012 17:16:50 +0000 (UTC) Received: (qmail 69681 invoked by uid 500); 22 Oct 2012 17:16:50 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 69470 invoked by uid 500); 22 Oct 2012 17:16:49 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 69463 invoked by uid 99); 22 Oct 2012 17:16:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Oct 2012 17:16:49 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Oct 2012 17:16:48 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 5FD3923888CD; Mon, 22 Oct 2012 17:16:05 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: svn commit: r1400962 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_init.c Date: Mon, 22 Oct 2012 17:16:05 -0000 To: cvs@httpd.apache.org From: jim@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20121022171605.5FD3923888CD@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: jim Date: Mon Oct 22 17:16:04 2012 New Revision: 1400962 URL: http://svn.apache.org/viewvc?rev=1400962&view=rev Log: Merge r1400700 from trunk: Change default for SSLCompression to off, as compression causes security issues in most setups Submitted by: sf Reviewed/backported by: jim Modified: httpd/httpd/branches/2.4.x/ (props changed) httpd/httpd/branches/2.4.x/CHANGES httpd/httpd/branches/2.4.x/STATUS httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Propchange: httpd/httpd/branches/2.4.x/ ------------------------------------------------------------------------------ Merged /httpd/httpd/trunk:r1400700 Modified: httpd/httpd/branches/2.4.x/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1400962&r1=1400961&r2=1400962&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original) +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Oct 22 17:16:04 2012 @@ -2,6 +2,10 @@ Changes with Apache 2.4.4 + *) mod_ssl: Change default for SSLCompression to off, as compression + causes security issues in most setups. (The so called "CRIME" attack). + [Stefan Fritsch] + *) ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output to more accurately report the negotiated protocol. PR 53916. [Nicolás Pernas Maradei , Kaspar Brand] Modified: httpd/httpd/branches/2.4.x/STATUS URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1400962&r1=1400961&r2=1400962&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/STATUS (original) +++ httpd/httpd/branches/2.4.x/STATUS Mon Oct 22 17:16:04 2012 @@ -89,10 +89,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_ssl: Change default for SSLCompression to off. - trunk patch: http://svn.apache.org/viewvc?rev=1400700&view=rev - 2.4.x patch: trunk patch works (except CHANGES) - +1: sf, covener, jim PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml?rev=1400962&r1=1400961&r2=1400962&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml Mon Oct 22 17:16:04 2012 @@ -2391,16 +2391,21 @@ be protected with file permissions simil SSLCompression -Disallow compression on the SSL level +Enable compression on the SSL level SSLCompression on|off -SSLCompression on +SSLCompression off server config virtual host Available in httpd 2.4.3 and later, if using OpenSSL 0.9.8 or later; -virtual host scope available if using OpenSSL 1.0.0 or later +virtual host scope available if using OpenSSL 1.0.0 or later. +The default used to be on in version 2.4.3. -

This directive allows to disable compression on the SSL level.

This directive allows to enable compression on the SSL level.

+ +

Enabling compression causes security issues in most setups (the so called +CRIME attack).

+ Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c?rev=1400962&r1=1400961&r2=1400962&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c (original) +++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c Mon Oct 22 17:16:04 2012 @@ -624,7 +624,7 @@ static void ssl_init_ctx_protocol(server #ifndef OPENSSL_NO_COMP - if (sc->compression == FALSE) { + if (sc->compression != TRUE) { #ifdef SSL_OP_NO_COMPRESSION /* OpenSSL >= 1.0 only */ SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);