diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2013-07-16 13:22:56 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2013-07-16 13:22:56 +0000 |
| commit | 8f4414d6ccd8f3f01d0de66cce6ce90193d3165a (patch) | |
| tree | 7fb0b8360ae92a636c8c1a9f52d276158684dd60 | |
| parent | 3a6c8b82e411c7114dde12df7b8110da5b0d280a (diff) | |
Disable SSL compression in order to mitigate CRIME attacks. Add
an SSLCompression option so that it can be turned back on, however on
this is currently a no-op due to the compile options for libssl.
Requested by and ok djm@
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/mod_ssl.c | 11 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/mod_ssl.h | 2 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c | 11 | ||||
| -rw-r--r-- | usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c | 4 |
4 files changed, 23 insertions, 5 deletions
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c index 01133e25485..216700bab2f 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c @@ -74,7 +74,7 @@ * identify the module to SCCS `what' and RCS `ident' commands */ static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >"; -static char const rcsid[] = "$Id: mod_ssl.c,v 1.13 2013/07/16 13:02:16 jsing Exp $"; +static char const rcsid[] = "$Id: mod_ssl.c,v 1.14 2013/07/16 13:22:55 jsing Exp $"; /* * the table of configuration directives we provide @@ -107,15 +107,18 @@ static command_rec ssl_config_cmds[] = { AP_SRV_CMD(Engine, FLAG, "SSL switch for the protocol engine " "(`on', `off')") - AP_SRV_CMD(HonorCipherOrder, FLAG, - "Let the server determine preferred ciphers " - "(`on', `off')") + AP_SRV_CMD(Compression, FLAG, + "Use SSL compression " + "(`on', `off')") AP_ALL_CMD(CipherSuite, TAKE1, "Colon-delimited list of permitted SSL Ciphers " "(`XXX:...:XXX' - see manual)") AP_SRV_CMD(ECDHCurve, TAKE1, "Name of ECDH curve to use for ephemeral EC keys " "(`curve' - see manual)") + AP_SRV_CMD(HonorCipherOrder, FLAG, + "Let the server determine preferred ciphers " + "(`on', `off')") AP_SRV_CMD(CertificateFile, TAKE1, "SSL Server Certificate file " "(`/path/to/file' - PEM or DER encoded)") diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h index 4d88024b999..d63a89910df 100644 --- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h +++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h @@ -507,6 +507,7 @@ typedef struct { */ typedef struct { BOOL bEnabled; + BOOL bCompression; char *szPublicCertFile[SSL_AIDX_MAX]; char *szPrivateKeyFile[SSL_AIDX_MAX]; char *szCertificateChain; @@ -591,6 +592,7 @@ const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *); const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *); const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int); +const char *ssl_cmd_SSLCompression(cmd_parms *, char *, int); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *); const char *ssl_cmd_SSLECDHCurve(cmd_parms *, char *, char *); const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int); diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c index 775837a1e89..2bda3964065 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c @@ -191,6 +191,7 @@ void *ssl_config_server_create(pool *p, server_rec *s) sc = ap_palloc(p, sizeof(SSLSrvConfigRec)); sc->bEnabled = UNSET; + sc->bCompression = FALSE; sc->szCACertificatePath = NULL; sc->szCACertificateFile = NULL; sc->szCertificateChain = NULL; @@ -249,6 +250,7 @@ void *ssl_config_server_merge(pool *p, void *basev, void *addv) int i; cfgMergeBool(bEnabled); + cfgMergeBool(bCompression); cfgMergeString(szCACertificatePath); cfgMergeString(szCACertificateFile); cfgMergeString(szCertificateChain); @@ -534,6 +536,15 @@ const char *ssl_cmd_SSLEngine( return NULL; } +const char *ssl_cmd_SSLCompression( + cmd_parms *cmd, char *struct_ptr, int flag) +{ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + + sc->bCompression = (flag ? TRUE : FALSE); + return NULL; +} + const char *ssl_cmd_SSLCipherSuite( cmd_parms *cmd, SSLDirConfigRec *dc, char *arg) { diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c index 67930cf4f1b..282ec56de8b 100644 --- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c +++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_engine_init.c,v 1.31 2013/07/16 13:02:16 jsing Exp $ */ +/* $OpenBSD: ssl_engine_init.c,v 1.32 2013/07/16 13:22:55 jsing Exp $ */ /* _ _ ** _ __ ___ ___ __| | ___ ___| | mod_ssl @@ -590,6 +590,8 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc) SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1)) SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1); + if (sc->bCompression == FALSE) + SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); if (sc->bHonorCipherOrder == TRUE) SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); SSL_CTX_set_app_data(ctx, s); |