Commit: 4a01ddfb5569da1b87dd4cac95c3f709fb607396 Author: Daniel Lowrey <rdlow...@gmail.com> Wed, 30 Jan 2013 14:45:31 -0500 Committer: Lars Strojny <lstro...@php.net> Thu, 31 Jan 2013 00:31:10 +0100 Parents: bb4d11b405ae1f37a8b0e4db630e80c5678f0746 Branches: PHP-5.4
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=4a01ddfb5569da1b87dd4cac95c3f709fb607396 Log: Added ssl context option, "disable_compression" The CRIME attack vector exploits TLS compression. This patch adds a stream context option allowing servers to disable TLS compression for versions of OpenSSL >= 1.0.0 (which first introduced the SSL_OP_NO_COMPRESSION option). A summary rundown of the CRIME attack can be found at https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls Thanks to @DaveRandom for pointing out the relevant section of code. Changed paths: M ext/openssl/xp_ssl.c Diff: diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c index fd452db..8b0fe69 100644 --- a/ext/openssl/xp_ssl.c +++ b/ext/openssl/xp_ssl.c @@ -395,6 +395,18 @@ static inline int php_openssl_setup_crypto(php_stream *stream, } #endif +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + { + zval **val; + + if (stream->context && SUCCESS == php_stream_context_get_option( + stream->context, "ssl", "disable_compression", &val) && + zval_is_true(*val)) { + SSL_CTX_set_options(sslsock->ctx, SSL_OP_NO_COMPRESSION); + } + } +#endif + sslsock->ssl_handle = php_SSL_new_from_context(sslsock->ctx, stream TSRMLS_CC); if (sslsock->ssl_handle == NULL) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to create an SSL handle"); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php