From: William A. Rowe Jr Date: Wed, 6 Jul 2005 15:16:28 +0000 (+0000) Subject: Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note X-Git-Tag: 2.1.7~46 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=340df9ce2f73c6984948d3cff0c81580a9c4d2de;p=apache Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note the negotiated compression. Reviewed by: wrowe, Maxime Petazzoni Submitted by: Georg v. Zezschwitz git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@209469 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 5c807b28ed..cf1de480e5 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -65,6 +65,7 @@ compatibility variables.

SSL_CIPHER_EXPORT string true if cipher is an export cipher SSL_CIPHER_USEKEYSIZE number Number of cipher bits (actually used) SSL_CIPHER_ALGKEYSIZE number Number of cipher bits (possible) +SSL_COMPRESS_METHOD string SSL compression method negotiated SSL_VERSION_INTERFACE string The mod_ssl program version SSL_VERSION_LIBRARY string The OpenSSL program version SSL_CLIENT_M_VERSION string The version of the client certificate diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml index 7ffe81023a..0b759dfe38 100644 --- a/docs/manual/ssl/ssl_faq.xml +++ b/docs/manual/ssl/ssl_faq.xml @@ -680,6 +680,7 @@ browsers complain that they cannot verify the server certificate?
  • HTTPS and name-based vhosts
  • Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
    • +
  • How do I get SSL compression working?
  • The lock icon in Netscape locks very late
  • Why do I get I/O errors with MSIE clients?
  • Why do I get I/O errors with NS clients?
    • @@ -804,6 +805,23 @@ Virtual Hosting to identify different SSL virtual hosts? Use different port numbers for different SSL hosts.

    +
    How do I get SSL compression working? +

    Although SSL compression negotiation was already defined in the specification +of SSLv2 and TLS, it took until May 2004 when RFC 3749 defined DEFLATE as +a negotiable standard compression method. +

    +

    OpenSSL 0.9.8 started to support this by default when compiled with the +zlib option. If both the client and the server support compression, +it will be used. However, most clients still try to initially connect with an +SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms +in its handshake, compression can not be negotiated with these clients. +If the client disables support for SSLv2, based on the used SSL library +a SSLv3 or TLS Hello might be sent and compression might be set up. +You can verify if clients make use of SSL compression by logging the +%{SSL_COMPRESS_METHOD}x variable. +

    +
    +
    When I use Basic Authentication over HTTPS the lock icon in Netscape browsers still shows the unlocked state when the dialog pops up. Does this mean the username/password is still transmitted unencrypted? diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 03b1e88ce9..25b8a4879f 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -946,6 +946,7 @@ static const char *ssl_hook_Fixup_vars[] = { "SSL_VERSION_INTERFACE", "SSL_VERSION_LIBRARY", "SSL_PROTOCOL", + "SSL_COMPRESS_METHOD", "SSL_CIPHER", "SSL_CIPHER_EXPORT", "SSL_CIPHER_USEKEYSIZE", diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c index 69d4b098c3..ca505f87bb 100644 --- a/modules/ssl/ssl_engine_vars.c +++ b/modules/ssl/ssl_engine_vars.c @@ -50,6 +50,7 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c); static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var); static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize); static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); +static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl); static int ssl_is_https(conn_rec *c) { @@ -296,6 +297,9 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var) if ((xs = SSL_get_certificate(ssl)) != NULL) result = ssl_var_lookup_ssl_cert(p, xs, var+7); } + else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { + result = ssl_var_lookup_ssl_compress_meth(ssl); + } return result; } @@ -711,6 +715,39 @@ const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, return result; } +static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl) +{ + char *result = "NULL"; +#ifdef OPENSSL_VERSION_NUMBER +#if (OPENSSL_VERSION_NUMBER >= 0x00908000) + SSL_SESSION *pSession = SSL_get_session(ssl); + + if (pSession) { + switch (pSession->compress_meth) { + case 0: + /* default "NULL" already set */ + break; + + /* Defined by RFC 3749, deflate is coded by "1" */ + case 1: + result = "DEFLATE"; + break; + + /* IANA assigned compression number for LZS */ + case 0x40: + result = "LZS"; + break; + + default: + result = "UNKNOWN"; + break; + } + } +#endif +#endif + return result; +} + /* _________________________________________________________________ ** ** SSL Extension to mod_log_config