From: William A. Rowe Jr <wrowe@apache.org>
Date: Wed, 6 Jul 2005 15:16:28 +0000 (+0000)
Subject: Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note
X-Git-Tag: 2.1.7~46
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=340df9ce2f73c6984948d3cff0c81580a9c4d2de;p=apache
Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note
the negotiated compression.
Reviewed by: wrowe, Maxime Petazzoni
Submitted by: Georg v. Zezschwitz <gvz 2scale.de>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@209469 13f79535-47bb-0310-9956-ffa450edef68
---
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 5c807b28ed..cf1de480e5 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -65,6 +65,7 @@ compatibility variables.</p>
<tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr>
<tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr>
<tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr>
+<tr><td><code>SSL_COMPRESS_METHOD</code></td> <td>string</td> <td>SSL compression method negotiated</td></tr>
<tr><td><code>SSL_VERSION_INTERFACE</code></td> <td>string</td> <td>The mod_ssl program version</td></tr>
<tr><td><code>SSL_VERSION_LIBRARY</code></td> <td>string</td> <td>The OpenSSL program version</td></tr>
<tr><td><code>SSL_CLIENT_M_VERSION</code></td> <td>string</td> <td>The version of the client certificate</td></tr>
diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml
index 7ffe81023a..0b759dfe38 100644
--- a/docs/manual/ssl/ssl_faq.xml
+++ b/docs/manual/ssl/ssl_faq.xml
@@ -680,6 +680,7 @@ browsers complain that they cannot verify the server certificate?</title>
<li><a href="#vhosts">HTTPS and name-based vhosts</a></li>
<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual
Hosting to identify different SSL virtual hosts?</a></li>
+<li><a href="#comp">How do I get SSL compression working?</a></li>
<li><a href="#lockicon">The lock icon in Netscape locks very late</a></li>
<li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li>
<li><a href="#nn">Why do I get I/O errors with NS clients?</a></li>
@@ -804,6 +805,23 @@ Virtual Hosting to identify different SSL virtual hosts?</title>
Use different port numbers for different SSL hosts.</p>
</section>
+<section id="comp"><title>How do I get SSL compression working?</title>
+<p>Although SSL compression negotiation was already defined in the specification
+of SSLv2 and TLS, it took until May 2004 when RFC 3749 defined DEFLATE as
+a negotiable standard compression method.
+</p>
+<p>OpenSSL 0.9.8 started to support this by default when compiled with the
+<code>zlib</code> option. If both the client and the server support compression,
+it will be used. However, most clients still try to initially connect with an
+SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms
+in its handshake, compression can not be negotiated with these clients.
+If the client disables support for SSLv2, based on the used SSL library
+a SSLv3 or TLS Hello might be sent and compression might be set up.
+You can verify if clients make use of SSL compression by logging the
+<code>%{SSL_COMPRESS_METHOD}x</code> variable.
+</p>
+</section>
+
<section id="lockicon"><title>When I use Basic Authentication over HTTPS the lock icon in Netscape browsers
still shows the unlocked state when the dialog pops up. Does this mean the
username/password is still transmitted unencrypted?</title>
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 03b1e88ce9..25b8a4879f 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -946,6 +946,7 @@ static const char *ssl_hook_Fixup_vars[] = {
"SSL_VERSION_INTERFACE",
"SSL_VERSION_LIBRARY",
"SSL_PROTOCOL",
+ "SSL_COMPRESS_METHOD",
"SSL_CIPHER",
"SSL_CIPHER_EXPORT",
"SSL_CIPHER_USEKEYSIZE",
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index 69d4b098c3..ca505f87bb 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -50,6 +50,7 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c);
static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
+static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
static int ssl_is_https(conn_rec *c)
{
@@ -296,6 +297,9 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var)
if ((xs = SSL_get_certificate(ssl)) != NULL)
result = ssl_var_lookup_ssl_cert(p, xs, var+7);
}
+ else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
+ result = ssl_var_lookup_ssl_compress_meth(ssl);
+ }
return result;
}
@@ -711,6 +715,39 @@ const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer,
return result;
}
+static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl)
+{
+ char *result = "NULL";
+#ifdef OPENSSL_VERSION_NUMBER
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+ SSL_SESSION *pSession = SSL_get_session(ssl);
+
+ if (pSession) {
+ switch (pSession->compress_meth) {
+ case 0:
+ /* default "NULL" already set */
+ break;
+
+ /* Defined by RFC 3749, deflate is coded by "1" */
+ case 1:
+ result = "DEFLATE";
+ break;
+
+ /* IANA assigned compression number for LZS */
+ case 0x40:
+ result = "LZS";
+ break;
+
+ default:
+ result = "UNKNOWN";
+ break;
+ }
+ }
+#endif
+#endif
+ return result;
+}
+
/* _________________________________________________________________
**
** SSL Extension to mod_log_config