pool/openssl
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
44a951fc87
openssl/compression_methods_switch.patch
Stephan Kulow 17914da9d0 Accepting request 211421 from Base:System 
- compression_methods_switch.patch: setenv might not be successful
  if a surrounding library or application filters it, like e.g. sudo.
  As setenv() does not seem to be useful anyway, remove it.
  bnc#849377 (forwarded request 211400 from msmeissn)

OBS-URL: https://build.opensuse.org/request/show/211421
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=103
2013-12-19 12:34:52 +00:00

52 lines
2.0 KiB
Diff
Raw Blame History

Index: openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
===================================================================
--- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod
+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod
@@ -41,6 +41,24 @@ of compression methods supported on a pe
The OpenSSL library has the compression methods B<COMP_rle()> and (when
especially enabled during compilation) B<COMP_zlib()> available.
+And, there is an environment variable to switch the compression
+methods off and on. In default the compression is off to mitigate
+the so called CRIME attack ( CVE-2012-4929). If you want to enable
+compression again set OPENSSL_NO_DEFAULT_ZLIB to "no".
+
+The variable can be switched on and off at runtime; when this variable
+is set "no" compression is enabled, otherwise no, for example:
+
+in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no'
+or in C to call
+int setenv(const char *name, const char *value, int overwrite); and
+int unsetenv(const char *name);
+
+Note: This reverts the behavior of the variable as it was before!
+
+And pay attention that this freaure is temporary, it maybe changed by
+the following updates.
+
=head1 WARNINGS
Once the identities of the compression methods for the TLS protocol have
Index: openssl-1.0.1e/ssl/ssl_ciph.c
===================================================================
--- openssl-1.0.1e.orig/ssl/ssl_ciph.c
+++ openssl-1.0.1e/ssl/ssl_ciph.c
@@ -452,10 +452,16 @@ static void load_builtin_compressions(vo
if (ssl_comp_methods == NULL)
{
SSL_COMP *comp = NULL;
+ const char *nodefaultzlib;
MemCheck_off();
ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
- if (ssl_comp_methods != NULL)
+
+ /* The default is "no" compression to avoid CRIME/BEAST */
+ nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB");
+ if ( ssl_comp_methods != NULL &&
+ nodefaultzlib &&
+ strncmp( nodefaultzlib, "no", 2) == 0)
{
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if (comp != NULL)
Reference in New Issue View Git Blame Copy Permalink