RT3234: disable compression (dc5744cb) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+6 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,12 @@

		Changes between 1.0.2f and 1.1.0 [xx XXX xxxx]

		*) CRIME protection: disable compression by default, even if OpenSSL is
		compiled with zlib enabled. Applications can still enable compression
		by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
		using the SSL_CONF library to configure compression.
		[Emilia Käsper]

		*) The signature of the session callback configured with
		SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
		was explicitly marked as 'const unsigned char*' instead of

+3 −3

Original line number	Diff line number	Diff line
		@@ -285,7 +285,7 @@ void wait_for_async(SSL *s);
		# define OPT_S_ENUM \
		OPT_S__FIRST=3000, \
		OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
		OPT_S_BUGS, OPT_S_NOCOMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
		OPT_S_BUGS, OPT_S_COMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
		OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
		OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
		OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
		@@ -298,7 +298,7 @@ void wait_for_async(SSL *s);
		{"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \
		{"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \
		{"bugs", OPT_S_BUGS, '-' }, \
		{"no_comp", OPT_S_NOCOMP, '-', "Don't use SSL/TLS-level compression" }, \
		{"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
		{"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \
		{"no_ticket", OPT_S_NOTICKET, '-' }, \
		{"serverpref", OPT_S_SERVERPREF, '-' }, \
		@@ -327,7 +327,7 @@ void wait_for_async(SSL *s);
		case OPT_S_NOTLS1_1: \
		case OPT_S_NOTLS1_2: \
		case OPT_S_BUGS: \
		case OPT_S_NOCOMP: \
		case OPT_S_COMP: \
		case OPT_S_ECDHSINGLE: \
		case OPT_S_NOTICKET: \
		case OPT_S_SERVERPREF: \

+6 −2

Original line number	Diff line number	Diff line
		@@ -131,9 +131,9 @@ These options are deprecated, instead use B<-min_protocol> and B<-max_protocol>.

		Various bug workarounds are set, same as setting B<SSL_OP_ALL>.

		=item B<-no_comp>
		=item B<-comp>

		Disables support for SSL/TLS compression, same as setting B<SSL_OP_NO_COMPRESS>.
		Enables support for SSL/TLS compression, same as clearing B<SSL_OP_NO_COMPRESSION>.

		=item B<-no_ticket>

		@@ -495,6 +495,10 @@ Disable TLS session tickets:

		SSL_CONF_cmd(ctx, "Options", "-SessionTicket");

		Enable compression:

		SSL_CONF_cmd(ctx, "Options", "Compression");

		Set supported curves to P-256, P-384:

		SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");

+2 −2

Original line number	Diff line number	Diff line
		@@ -581,7 +581,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
		SSL_CONF_CMD_SWITCH("no_tls1_1", 0),
		SSL_CONF_CMD_SWITCH("no_tls1_2", 0),
		SSL_CONF_CMD_SWITCH("bugs", 0),
		SSL_CONF_CMD_SWITCH("no_comp", 0),
		SSL_CONF_CMD_SWITCH("comp", 0),
		SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
		SSL_CONF_CMD_SWITCH("no_ticket", 0),
		SSL_CONF_CMD_SWITCH("serverpref", SSL_CONF_FLAG_SERVER),
		@@ -640,7 +640,7 @@ static const ssl_switch_tbl ssl_cmd_switches[] = {
		{SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */
		{SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */
		{SSL_OP_ALL, 0}, /* bugs */
		{SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
		{SSL_OP_NO_COMPRESSION, 1}, /* comp */
		{SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
		{SSL_OP_NO_TICKET, 0}, /* no_ticket */
		{SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */

+7 −0

Original line number	Diff line number	Diff line
		@@ -2362,6 +2362,13 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD meth)
		* deployed might change this.
		*/
		ret->options \|= SSL_OP_LEGACY_SERVER_CONNECT;
		/*
		* Disable compression by default to prevent CRIME. Applications can
		* re-enable compression by configuring
		* SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION);
		* or by using the SSL_CONF library.
		*/
		ret->options \|= SSL_OP_NO_COMPRESSION;

		return (ret);
		err: