From 58e079e79f926facfb77aadb70c301798d2bd4b2 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Fri, 9 Feb 2018 10:20:50 +0000
Subject: [PATCH] Merge r1556473 from trunk:

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCompression): Fail if
  enabled *and* if OpenSSL does not make any compression methods
  available.  Tweak wording for failure without SSL_OP_NO_COMPRESSION.

Submitted by: jorton
Reviewed by: jorton, jim, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1823625 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                         |  4 ++++
 modules/ssl/ssl_engine_config.c | 15 +++++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 85357b2715..e706b53061 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.30
  
+  *) mod_ssl: The SSLCompression directive will now give an error if used
+     with an OpenSSL build which does not support any compression methods.
+     [Joe Orton]
+
   *) mpm_event,worker: Mask signals for threads created by modules in child
      init, so that they don't receive (implicitely) the ones meant for the MPM.
      PR 62009. [Armin Abfalterer <a.abfalterer gmail com>, Yann Ylavic]
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 6750b98a8a..78d058cb16 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -781,9 +781,20 @@ const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
 #ifndef SSL_OP_NO_COMPRESSION
     const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
     if (err)
-        return "This version of openssl does not support configuring "
-               "compression within <VirtualHost> sections.";
+        return "This version of OpenSSL does not support enabling "
+               "SSLCompression within <VirtualHost> sections.";
 #endif
+    if (flag) {
+        /* Some (packaged) versions of OpenSSL do not support
+         * compression by default.  Enabling this directive would not
+         * have the desired effect, so fail with an error. */
+        STACK_OF(SSL_COMP) *meths = SSL_COMP_get_compression_methods();
+
+        if (sk_SSL_COMP_num(meths) == 0) {
+            return "This version of OpenSSL does not have any compression methods "
+                "available, cannot enable SSLCompression.";
+        }
+    }
     sc->compression = flag ? TRUE : FALSE;
     return NULL;
 #else
-- 
2.40.0