/[packages]/updates/2/qt4/current/SOURCES/disable-ssl-compression-by-default.diff
ViewVC logotype

Contents of /updates/2/qt4/current/SOURCES/disable-ssl-compression-by-default.diff

Parent Directory Parent Directory | Revision Log Revision Log


Revision 338296 - (show annotations) (download)
Thu Jan 3 18:26:32 2013 UTC (11 years, 9 months ago) by oden
File size: 2725 byte(s)
- P500: mitigate CVE-2012-4929 (opensuse, upstream)

1 commit d41dc3e101a694dec98d7bbb582d428d209e5401
2 Author: Richard Moore <rich@kde.org>
3 Date: Fri Sep 14 00:13:08 2012 +0100
4
5 Disable SSL compression by default.
6
7 Disable SSL compression by default since this appears to be the a likely
8 cause of the currently hyped CRIME attack.
9
10 This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74
11
12 Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a
13 Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
14 Reviewed-by: Peter Hartmann <phartmann@rim.com>
15
16 diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
17 index 49e086f..9578178 100644
18 --- a/src/network/ssl/qssl.cpp
19 +++ b/src/network/ssl/qssl.cpp
20 @@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE
21
22 By default, SslOptionDisableEmptyFragments is turned on since this causes
23 problems with a large number of servers. SslOptionDisableLegacyRenegotiation
24 - is also turned on, since it introduces a security risk. The other options
25 - are turned off.
26 + is also turned on, since it introduces a security risk.
27 + SslOptionDisableCompression is turned on to prevent the attack publicised by
28 + CRIME. The other options are turned off.
29
30 Note: Availability of above options depends on the version of the SSL
31 backend in use.
32 diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
33 index 24c7b77..3a05f54 100644
34 --- a/src/network/ssl/qsslconfiguration.cpp
35 +++ b/src/network/ssl/qsslconfiguration.cpp
36 @@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const
37 d->privateKey.isNull() &&
38 d->peerCertificate.isNull() &&
39 d->peerCertificateChain.count() == 0 &&
40 - d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation));
41 + d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments
42 + |QSsl::SslOptionDisableLegacyRenegotiation
43 + |QSsl::SslOptionDisableCompression));
44 }
45
46 /*!
47 diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
48 index 74f17cd..c36b651 100644
49 --- a/src/network/ssl/qsslconfiguration_p.h
50 +++ b/src/network/ssl/qsslconfiguration_p.h
51 @@ -83,7 +83,9 @@ public:
52 : protocol(QSsl::SecureProtocols),
53 peerVerifyMode(QSslSocket::AutoVerifyPeer),
54 peerVerifyDepth(0),
55 - sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)
56 + sslOptions(QSsl::SslOptionDisableEmptyFragments
57 + |QSsl::SslOptionDisableLegacyRenegotiation
58 + |QSsl::SslOptionDisableCompression)
59 { }
60
61 QSslCertificate peerCertificate;

  ViewVC Help
Powered by ViewVC 1.1.30