Disable SSL compression in order to mitigate CRIME attacks. Add

an SSLCompression option so that it can be turned back on, however on
this is currently a no-op due to the compile options for libssl.

Requested by and ok djm@

4 files changed, 23 insertions, 5 deletions

diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
index 01133e25485..216700bab2f 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
@@ -74,7 +74,7 @@
  *  identify the module to SCCS `what' and RCS `ident' commands
  */
 static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >";
-static char const rcsid[]  = "$Id: mod_ssl.c,v 1.13 2013/07/16 13:02:16 jsing Exp $";
+static char const rcsid[]  = "$Id: mod_ssl.c,v 1.14 2013/07/16 13:22:55 jsing Exp $";
 
 /*
  *  the table of configuration directives we provide
@@ -107,15 +107,18 @@ static command_rec ssl_config_cmds[] = {
     AP_SRV_CMD(Engine, FLAG,
                "SSL switch for the protocol engine "
                "(`on', `off')")
-    AP_SRV_CMD(HonorCipherOrder, FLAG,
-		"Let the server determine preferred ciphers "
-		"(`on', `off')")
+    AP_SRV_CMD(Compression, FLAG,
+               "Use SSL compression "
+               "(`on', `off')")
     AP_ALL_CMD(CipherSuite, TAKE1,
                "Colon-delimited list of permitted SSL Ciphers "
                "(`XXX:...:XXX' - see manual)")
     AP_SRV_CMD(ECDHCurve, TAKE1,
                "Name of ECDH curve to use for ephemeral EC keys "
                "(`curve' - see manual)")
+    AP_SRV_CMD(HonorCipherOrder, FLAG,
+		"Let the server determine preferred ciphers "
+		"(`on', `off')")
     AP_SRV_CMD(CertificateFile, TAKE1,
                "SSL Server Certificate file "
                "(`/path/to/file' - PEM or DER encoded)")
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
index 4d88024b999..d63a89910df 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
@@ -507,6 +507,7 @@ typedef struct {
  */
 typedef struct {
     BOOL         bEnabled;
+    BOOL         bCompression;
     char        *szPublicCertFile[SSL_AIDX_MAX];
     char        *szPrivateKeyFile[SSL_AIDX_MAX];
     char        *szCertificateChain;
@@ -591,6 +592,7 @@ const char  *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *);
 const char  *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *);
 const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *);
 const char  *ssl_cmd_SSLEngine(cmd_parms *, char *, int);
+const char  *ssl_cmd_SSLCompression(cmd_parms *, char *, int);
 const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *);
 const char  *ssl_cmd_SSLECDHCurve(cmd_parms *, char *, char *);
 const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *, char *, int);
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
index 775837a1e89..2bda3964065 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
@@ -191,6 +191,7 @@ void *ssl_config_server_create(pool *p, server_rec *s)
 
     sc = ap_palloc(p, sizeof(SSLSrvConfigRec));
     sc->bEnabled               = UNSET;
+    sc->bCompression           = FALSE;
     sc->szCACertificatePath    = NULL;
     sc->szCACertificateFile    = NULL;
     sc->szCertificateChain     = NULL;
@@ -249,6 +250,7 @@ void *ssl_config_server_merge(pool *p, void *basev, void *addv)
     int i;
 
     cfgMergeBool(bEnabled);
+    cfgMergeBool(bCompression);
     cfgMergeString(szCACertificatePath);
     cfgMergeString(szCACertificateFile);
     cfgMergeString(szCertificateChain);
@@ -534,6 +536,15 @@ const char *ssl_cmd_SSLEngine(
     return NULL;
 }
 
+const char *ssl_cmd_SSLCompression(
+     cmd_parms *cmd, char *struct_ptr, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->bCompression = (flag ? TRUE : FALSE);
+    return NULL;
+}
+
 const char *ssl_cmd_SSLCipherSuite(
     cmd_parms *cmd, SSLDirConfigRec *dc, char *arg)
 {
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
index 67930cf4f1b..282ec56de8b 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_engine_init.c,v 1.31 2013/07/16 13:02:16 jsing Exp $ */
+/* $OpenBSD: ssl_engine_init.c,v 1.32 2013/07/16 13:22:55 jsing Exp $ */
 
 /*                      _             _
 **  _ __ ___   ___   __| |    ___ ___| |  mod_ssl
@@ -590,6 +590,8 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
         SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
     if (!(sc->nProtocol & SSL_PROTOCOL_TLSV1))
         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
+    if (sc->bCompression == FALSE)
+        SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
     if (sc->bHonorCipherOrder == TRUE)
     	SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     SSL_CTX_set_app_data(ctx, s);