At 07:32 AM 7/5/2005, Georg v. Zezschwitz wrote: >However, currently 2.0.54 cannot be built with 0.9.8beta6, as >a pem.h-definition has changed. The OpenSSL-team considers this >renaming as a bug correction, so compilation of mod_ssl will >go on to fail.
I've committed that fix to both 2.0 and 2.1 trees, thank you! In the future please separate each functional change into its own patch. >I have attached a patch to make mod_ssl compile with OpenSSL 0.9.8, >and also added an SSL variable "SSL_COMP_METHOD" to allow logging >(and other usages) of the negotiated compression method. My concern is that older libraries would break under this patch. Do we care? I dunno - but just in case this is only committed to the 2.1 dev branch for now. I changed the variable name to SSL_COMPRESS_METHOD, to kill the ambiguity of 'COMP'. I've also added this to the StdEnvVars, since its not unreasonable for a CGI to behave differently, knowing that compression is already applied to the stream. For that matter, mod_deflate aught to peek at this variable and just get out of the way :) Patches welcome. Finally you had one small typo, a simple string compare was more appropriate than a variable length compare (I was confused what you ment, did you want to accept SSL_COMP_ME)? The revised patch to 2.0.x is attached. Thanks again! Bill
# # Add SSL_COMPRESS_METHOD variable (included in +StdEnvVars) to note # the negotiated compression. [Georg v. Zezschwitz <gvz 2scale.de>] # Index: docs/manual/mod/mod_ssl.xml =================================================================== --- docs/manual/mod/mod_ssl.xml (revision 209415) +++ docs/manual/mod/mod_ssl.xml (working copy) @@ -65,6 +65,7 @@ <tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr> <tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr> <tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr> +<tr><td><code>SSL_COMPRESS_METHOD</code></td> <td>string</td> <td>SSL compression method negotiated</td></tr> <tr><td><code>SSL_VERSION_INTERFACE</code></td> <td>string</td> <td>The mod_ssl program version</td></tr> <tr><td><code>SSL_VERSION_LIBRARY</code></td> <td>string</td> <td>The OpenSSL program version</td></tr> <tr><td><code>SSL_CLIENT_M_VERSION</code></td> <td>string</td> <td>The version of the client certificate</td></tr> Index: docs/manual/ssl/ssl_faq.xml =================================================================== --- docs/manual/ssl/ssl_faq.xml (revision 209415) +++ docs/manual/ssl/ssl_faq.xml (working copy) @@ -680,6 +680,7 @@ <li><a href="#vhosts">HTTPS and name-based vhosts</a></li> <li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?</a></li> +<li><a href="#comp">How do I get SSL compression working?</a></li> <li><a href="#lockicon">The lock icon in Netscape locks very late</a></li> <li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li> <li><a href="#nn">Why do I get I/O errors with NS clients?</a></li> @@ -804,6 +805,23 @@ Use different port numbers for different SSL hosts.</p> </section> +<section id="comp"><title>How do I get SSL compression working?</title> +<p>Although SSL compression negotiation was already defined in the specification +of SSLv2 and TLS, it took until May 2004 when RFC 3749 defined DEFLATE as +a negotiable standard compression method. +</p> +<p>OpenSSL 0.9.8 started to support this by default when compiled with the +<code>zlib</code> option. If both the client and the server support compression, +it will be used. However, most clients still try to initially connect with an +SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms +in its handshake, compression can not be negotiated with these clients. +If the client disables support for SSLv2, based on the used SSL library +a SSLv3 or TLS Hello might be sent and compression might be set up. +You can verify if clients make use of SSL compression by logging the +<code>%{SSL_COMPRESS_METHOD}x</code> variable. +</p> +</section> + <section id="lockicon"><title>When I use Basic Authentication over HTTPS the lock icon in Netscape browsers still shows the unlocked state when the dialog pops up. Does this mean the username/password is still transmitted unencrypted?</title> Index: modules/ssl/ssl_engine_vars.c =================================================================== --- modules/ssl/ssl_engine_vars.c (revision 209415) +++ modules/ssl/ssl_engine_vars.c (working copy) @@ -47,6 +47,7 @@ static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var); static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize); static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); +static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl); static int ssl_is_https(conn_rec *c) { @@ -282,6 +283,9 @@ if ((xs = SSL_get_certificate(ssl)) != NULL) result = ssl_var_lookup_ssl_cert(p, xs, var+7); } + else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { + result = ssl_var_lookup_ssl_compress_meth(ssl); + } return result; } @@ -595,6 +599,39 @@ return result; } +static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl) +{ + char *result = "NULL"; +#ifdef OPENSSL_VERSION_NUMBER +#if (OPENSSL_VERSION_NUMBER >= 0x00908000) + SSL_SESSION *pSession = SSL_get_session(ssl); + + if (pSession) { + switch (pSession->compress_meth) { + case 0: + /* default "NULL" already set */ + break; + + /* Defined by RFC 3749, deflate is coded by "1" */ + case 1: + result = "DEFLATE"; + break; + + /* IANA assigned compression number for LZS */ + case 0x40: + result = "LZS"; + break; + + default: + result = "UNKNOWN"; + break; + } + } +#endif +#endif + return result; +} + /* _________________________________________________________________ ** ** SSL Extension to mod_log_config Index: modules/ssl/ssl_engine_kernel.c =================================================================== --- modules/ssl/ssl_engine_kernel.c (revision 209415) +++ modules/ssl/ssl_engine_kernel.c (working copy) @@ -941,6 +941,7 @@ "SSL_VERSION_INTERFACE", "SSL_VERSION_LIBRARY", "SSL_PROTOCOL", + "SSL_COMPRESS_METHOD", "SSL_CIPHER", "SSL_CIPHER_EXPORT", "SSL_CIPHER_USEKEYSIZE",