2015-06-08 08:25:56 +02:00
|
|
|
Index: openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
|
2013-07-30 18:42:57 +02:00
|
|
|
===================================================================
|
2015-06-08 08:25:56 +02:00
|
|
|
--- openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-03 22:10:19.262805732 +0200
|
|
|
|
|
+++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-03 22:10:28.958939879 +0200
|
2013-07-30 18:42:57 +02:00
|
|
|
@@ -41,6 +41,24 @@ of compression methods supported on a pe
|
|
|
|
|
The OpenSSL library has the compression methods B<COMP_rle()> and (when
|
|
|
|
|
especially enabled during compilation) B<COMP_zlib()> available.
|
|
|
|
|
|
|
|
|
|
+And, there is an environment variable to switch the compression
|
|
|
|
|
+methods off and on. In default the compression is off to mitigate
|
|
|
|
|
+the so called CRIME attack ( CVE-2012-4929). If you want to enable
|
|
|
|
|
+compression again set OPENSSL_NO_DEFAULT_ZLIB to "no".
|
|
|
|
|
+
|
|
|
|
|
+The variable can be switched on and off at runtime; when this variable
|
|
|
|
|
+is set "no" compression is enabled, otherwise no, for example:
|
|
|
|
|
+
|
|
|
|
|
+in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no'
|
|
|
|
|
+or in C to call
|
|
|
|
|
+int setenv(const char *name, const char *value, int overwrite); and
|
|
|
|
|
+int unsetenv(const char *name);
|
|
|
|
|
+
|
|
|
|
|
+Note: This reverts the behavior of the variable as it was before!
|
|
|
|
|
+
|
|
|
|
|
+And pay attention that this freaure is temporary, it maybe changed by
|
|
|
|
|
+the following updates.
|
|
|
|
|
+
|
|
|
|
|
=head1 WARNINGS
|
|
|
|
|
|
|
|
|
|
Once the identities of the compression methods for the TLS protocol have
|
2015-06-08 08:25:56 +02:00
|
|
|
Index: openssl-1.0.2a/ssl/ssl_ciph.c
|
2013-07-30 18:42:57 +02:00
|
|
|
===================================================================
|
2015-06-08 08:25:56 +02:00
|
|
|
--- openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-04-03 22:10:28.959939893 +0200
|
|
|
|
|
+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-03 22:12:33.425662139 +0200
|
|
|
|
|
@@ -478,10 +478,16 @@ static void load_builtin_compressions(vo
|
2013-07-30 18:42:57 +02:00
|
|
|
|
2015-06-08 08:25:56 +02:00
|
|
|
if (ssl_comp_methods == NULL) {
|
|
|
|
|
SSL_COMP *comp = NULL;
|
|
|
|
|
+ const char *nodefaultzlib;
|
|
|
|
|
|
|
|
|
|
MemCheck_off();
|
|
|
|
|
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
|
|
|
|
|
- if (ssl_comp_methods != NULL) {
|
|
|
|
|
+ /* The default is "no" compression to avoid CRIME/BEAST */
|
|
|
|
|
+ nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB");
|
|
|
|
|
+ if ( ssl_comp_methods != NULL &&
|
|
|
|
|
+ nodefaultzlib &&
|
|
|
|
|
+ strncmp( nodefaultzlib, "no", 2) == 0)
|
|
|
|
|
+ {
|
|
|
|
|
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
|
|
|
|
if (comp != NULL) {
|
|
|
|
|
comp->method = COMP_zlib();
|
