On 01.06.2012 21:36, [email protected] wrote: > Author: sf > Date: Fri Jun 1 19:36:37 2012 > New Revision: 1345319 > > URL: http://svn.apache.org/viewvc?rev=1345319&view=rev > Log: > Add new directive SSLCompression to disable SSL-level compression. > > PR: 53219 > Submitted by: Björn Jacke <bjoern j3e de>, Stefan Fritsch
[...] > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1345319&r1=1345318&r2=1345319&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Fri Jun 1 19:36:37 2012 [...] > @@ -663,6 +665,23 @@ static const char *ssl_cmd_check_file(cm > > } > > +const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag) > +{ > +#if defined(SSL_OP_NO_COMPRESSION) || OPENSSL_VERSION_NUMBER >= 0x00908000L > + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); > +#ifndef SSL_OP_NO_COMPRESSION > + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); > + if (err) > + return "This version of openssl does not support configuring " > + "compression within <VirtualHost> sections."; > +#endif > + sc->compression = flag ? TRUE : FALSE; > + return NULL; > +#else > + return "Setting Compression mode unsupported; not implemented by the SSL > library"; > +#endif > +} I think you should also check for !defined(OPENSSL_NO_COMP) - in this case the directive is simply not applicable. > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1345319&r1=1345318&r2=1345319&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Fri Jun 1 19:36:37 2012 > @@ -622,6 +622,20 @@ static void ssl_init_ctx_protocol(server > } > #endif > > +#ifdef SSL_OP_NO_COMPRESSION > + /* OpenSSL >= 1.0 only */ > + if (sc->compression == FALSE) { > + SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); > + } > +#elif OPENSSL_VERSION_NUMBER >= 0x00908000L > + /* workaround for OpenSSL 0.9.8 */ > + if (sc->compression == FALSE) { > + STACK_OF(SSL_COMP)* comp_methods; > + comp_methods = SSL_COMP_get_compression_methods(); > + sk_SSL_COMP_zero(comp_methods); > + } > +#endif > + > #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION > if (sc->insecure_reneg == TRUE) { > SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); > I suggest changing/shortening this to something like: #ifndef OPENSSL_NO_COMP if (sc->compression == FALSE) { #ifdef SSL_OP_NO_COMPRESSION /* OpenSSL >= 1.0 only */ SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); #elif OPENSSL_VERSION_NUMBER >= 0x00908000L /* workaround for OpenSSL 0.9.8 */ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); #endif } #endif Kaspar
