From 4a01ddfb5569da1b87dd4cac95c3f709fb607396 Mon Sep 17 00:00:00 2001 From: Daniel Lowrey Date: Wed, 30 Jan 2013 14:45:31 -0500 Subject: [PATCH] Added ssl context option, "disable_compression" MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The CRIME attack vector exploits TLS compression. This patch adds a stream context option allowing servers to disable TLS compression for versions of OpenSSL >= 1.0.0 (which first introduced the SSL_OP_NO_COMPRESSION option). A summary rundown of the CRIME attack can be found at https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls Thanks to @DaveRandom for pointing out the relevant section of code. --- ext/openssl/xp_ssl.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index fd452db3e0..8b0fe69e42 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -395,6 +395,18 @@ static inline int php_openssl_setup_crypto(php_stream *stream, } #endif +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + { + zval **val; + + if (stream->context && SUCCESS == php_stream_context_get_option( + stream->context, "ssl", "disable_compression", &val) && + zval_is_true(*val)) { + SSL_CTX_set_options(sslsock->ctx, SSL_OP_NO_COMPRESSION); + } + } +#endif + sslsock->ssl_handle = php_SSL_new_from_context(sslsock->ctx, stream TSRMLS_CC); if (sslsock->ssl_handle == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to create an SSL handle"); -- 2.40.0