|
|
cfec1a |
diff -up openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
|
|
|
cfec1a |
--- openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib 2015-04-09 18:17:20.509637597 +0200
|
|
|
cfec1a |
+++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-04-09 18:17:14.767504953 +0200
|
|
|
a5ef24 |
@@ -47,6 +47,13 @@ Once the identities of the compression m
|
|
|
a5ef24 |
been standardized, the compression API will most likely be changed. Using
|
|
|
a5ef24 |
it in the current state is not recommended.
|
|
|
a5ef24 |
|
|
|
a5ef24 |
+It is also not recommended to use compression if data transfered contain
|
|
|
a5ef24 |
+untrusted parts that can be manipulated by an attacker as he could then
|
|
|
a5ef24 |
+get information about the encrypted data. See the CRIME attack. For
|
|
|
a5ef24 |
+that reason the default loading of the zlib compression method is
|
|
|
a5ef24 |
+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
|
|
|
a5ef24 |
+is present during the library initialization.
|
|
|
a5ef24 |
+
|
|
|
a5ef24 |
=head1 RETURN VALUES
|
|
|
a5ef24 |
|
|
|
a5ef24 |
SSL_COMP_add_compression_method() may return the following values:
|
|
|
cfec1a |
diff -up openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib openssl-1.0.2a/ssl/ssl_ciph.c
|
|
|
cfec1a |
--- openssl-1.0.2a/ssl/ssl_ciph.c.env-zlib 2015-04-09 18:17:20.510637620 +0200
|
|
|
cfec1a |
+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-04-09 18:17:20.264631937 +0200
|
|
|
a5ef24 |
@@ -140,6 +140,8 @@
|
|
|
a5ef24 |
* OTHERWISE.
|
|
|
a5ef24 |
*/
|
|
|
a5ef24 |
|
|
|
a5ef24 |
+/* for secure_getenv */
|
|
|
a5ef24 |
+#define _GNU_SOURCE
|
|
|
a5ef24 |
#include <stdio.h>
|
|
|
a5ef24 |
#include <openssl/objects.h>
|
|
|
a5ef24 |
#ifndef OPENSSL_NO_COMP
|
|
|
cfec1a |
@@ -450,7 +452,8 @@ static void load_builtin_compressions(vo
|
|
|
a5ef24 |
|
|
|
cfec1a |
MemCheck_off();
|
|
|
cfec1a |
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
|
|
|
cfec1a |
- if (ssl_comp_methods != NULL) {
|
|
|
cfec1a |
+ if (ssl_comp_methods != NULL
|
|
|
cfec1a |
+ && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
|
|
|
cfec1a |
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
|
|
|
cfec1a |
if (comp != NULL) {
|
|
|
cfec1a |
comp->method = COMP_zlib();
|