From: Stefan Fritsch <sf@apache.org>
Date: Sun, 21 Oct 2012 19:15:43 +0000 (+0000)
Subject: Change default for SSLCompression to off, as compression
X-Git-Tag: 2.5.0-alpha~6185
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f55dd489b18c71f5a2faabf06e8e73e36fef5913;p=apache

Change default for SSLCompression to off, as compression
causes security issues in most setups


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1400700 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index c311e42b88..e31d8d075b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_ssl: Change default for SSLCompression to off, as compression
+     causes security issues in most setups. (The so called "CRIME" attack).
+     [Stefan Fritsch]
+
   *) syslog logging: Remove stray ", referer" at the end of some messages.
      [Jeff Trawick]
 
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 63645980a0..5bc2c2fa3a 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -2446,16 +2446,21 @@ be protected with file permissions similar to those used for
 
 <directivesynopsis>
 <name>SSLCompression</name>
-<description>Disallow compression on the SSL level</description>
+<description>Enable compression on the SSL level</description>
 <syntax>SSLCompression on|off</syntax>
-<default>SSLCompression on</default>
+<default>SSLCompression off</default>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
 <compatibility>Available in httpd 2.4.3 and later, if using OpenSSL 0.9.8 or later;
-virtual host scope available if using OpenSSL 1.0.0 or later</compatibility>
+virtual host scope available if using OpenSSL 1.0.0 or later.
+The default used to be <code>on</code> in version 2.4.3.</compatibility>
 
 <usage>
-<p>This directive allows to disable compression on the SSL level.</p>
+<p>This directive allows to enable compression on the SSL level.</p>
+<note type="warning">
+<p>Enabling compression causes security issues in most setups (the so called
+CRIME attack).</p>
+</note>
 </usage>
 </directivesynopsis>
 
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 0ce7e5a691..815228126b 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -656,7 +656,7 @@ static void ssl_init_ctx_protocol(server_rec *s,
 
 
 #ifndef OPENSSL_NO_COMP
-    if (sc->compression == FALSE) {
+    if (sc->compression != TRUE) {
 #ifdef SSL_OP_NO_COMPRESSION
         /* OpenSSL >= 1.0 only */
         SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);