1 |
commit d41dc3e101a694dec98d7bbb582d428d209e5401 |
2 |
Author: Richard Moore <rich@kde.org> |
3 |
Date: Fri Sep 14 00:13:08 2012 +0100 |
4 |
|
5 |
Disable SSL compression by default. |
6 |
|
7 |
Disable SSL compression by default since this appears to be the a likely |
8 |
cause of the currently hyped CRIME attack. |
9 |
|
10 |
This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74 |
11 |
|
12 |
Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a |
13 |
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> |
14 |
Reviewed-by: Peter Hartmann <phartmann@rim.com> |
15 |
|
16 |
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp |
17 |
index 49e086f..9578178 100644 |
18 |
--- a/src/network/ssl/qssl.cpp |
19 |
+++ b/src/network/ssl/qssl.cpp |
20 |
@@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE |
21 |
|
22 |
By default, SslOptionDisableEmptyFragments is turned on since this causes |
23 |
problems with a large number of servers. SslOptionDisableLegacyRenegotiation |
24 |
- is also turned on, since it introduces a security risk. The other options |
25 |
- are turned off. |
26 |
+ is also turned on, since it introduces a security risk. |
27 |
+ SslOptionDisableCompression is turned on to prevent the attack publicised by |
28 |
+ CRIME. The other options are turned off. |
29 |
|
30 |
Note: Availability of above options depends on the version of the SSL |
31 |
backend in use. |
32 |
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp |
33 |
index 24c7b77..3a05f54 100644 |
34 |
--- a/src/network/ssl/qsslconfiguration.cpp |
35 |
+++ b/src/network/ssl/qsslconfiguration.cpp |
36 |
@@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const |
37 |
d->privateKey.isNull() && |
38 |
d->peerCertificate.isNull() && |
39 |
d->peerCertificateChain.count() == 0 && |
40 |
- d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)); |
41 |
+ d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments |
42 |
+ |QSsl::SslOptionDisableLegacyRenegotiation |
43 |
+ |QSsl::SslOptionDisableCompression)); |
44 |
} |
45 |
|
46 |
/*! |
47 |
diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h |
48 |
index 74f17cd..c36b651 100644 |
49 |
--- a/src/network/ssl/qsslconfiguration_p.h |
50 |
+++ b/src/network/ssl/qsslconfiguration_p.h |
51 |
@@ -83,7 +83,9 @@ public: |
52 |
: protocol(QSsl::SecureProtocols), |
53 |
peerVerifyMode(QSslSocket::AutoVerifyPeer), |
54 |
peerVerifyDepth(0), |
55 |
- sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation) |
56 |
+ sslOptions(QSsl::SslOptionDisableEmptyFragments |
57 |
+ |QSsl::SslOptionDisableLegacyRenegotiation |
58 |
+ |QSsl::SslOptionDisableCompression) |
59 |
{ } |
60 |
|
61 |
QSslCertificate peerCertificate; |