diff -up openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod

--- openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod.env-zlib	2003-11-29 11:33:25.000000000 +0100

+++ openssl-fips-0.9.8e/doc/ssl/SSL_COMP_add_compression_method.pod	2013-07-17 12:30:39.390891366 +0200

@@ -47,6 +47,13 @@ Once the identities of the compression m

 been standardized, the compression API will most likely be changed. Using

 it in the current state is not recommended.

+It is also not recommended to use compression if data transfered contain

+untrusted parts that can be manipulated by an attacker as he could then

+get information about the encrypted data. See the CRIME attack. For

+that reason the default loading of the zlib compression method is

+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>

+is present during the library initialization.

+

 =head1 RETURN VALUES

 SSL_COMP_add_compression_method() may return the following values:

diff -up openssl-fips-0.9.8e/README.env-zlib openssl-fips-0.9.8e/README

--- openssl-fips-0.9.8e/README.env-zlib	2007-03-22 01:37:41.000000000 +0100

+++ openssl-fips-0.9.8e/README	2013-07-17 12:30:39.390891366 +0200

@@ -8,8 +8,22 @@

  WARNING

  -------

- This version of OpenSSL is an initial port of the FIPS 140-2 code to OpenSSL

- 0.9.8. See the file README.FIPS for brief usage details.

+ This version of OpenSSL is based on upstream openssl-fips-1.2.0 code

+ which is also undergoing FIPS validation.

+ 

+ However this version contains a few differences from the upstream code

+ some of which are:

+   * The module respects the kernel FIPS flag /proc/sys/crypto/fips and

+     tries to initialize the FIPS mode if it is set to 1 aborting if the

+     FIPS mode could not be initialized. It is also possible to force the

+     OpenSSL library to FIPS mode especially for debugging purposes by

+     setting the environment variable OPENSSL_FORCE_FIPS_MODE.

+   * If the environment variable OPENSSL_DEFAULT_ZLIB is set the module

+     will automatically load the built in compression method ZLIB

+     when initialized. Applications can still explicitely ask for ZLIB

+     compression method with API calls. Otherwise the compression is not

+     loaded and used due to protocol vulnerability as described in the

+     CRIME attack.

  DESCRIPTION

  -----------

diff -up openssl-fips-0.9.8e/ssl/ssl_ciph.c.env-zlib openssl-fips-0.9.8e/ssl/ssl_ciph.c

--- openssl-fips-0.9.8e/ssl/ssl_ciph.c.env-zlib	2007-08-13 20:35:04.000000000 +0200

+++ openssl-fips-0.9.8e/ssl/ssl_ciph.c	2013-07-17 12:31:22.855061684 +0200

@@ -113,6 +113,8 @@

  * ECC cipher suite support in OpenSSL originally developed by 

  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.

  */

+/* for secure_getenv */

+#define _GNU_SOURCE

 #include <stdio.h>

 #include <openssl/objects.h>

 #include <openssl/comp.h>

@@ -284,7 +286,7 @@ static void load_builtin_compressions(vo

 			MemCheck_off();

 			ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);

-			if (ssl_comp_methods != NULL)

+			if (ssl_comp_methods != NULL && secure_getenv("OPENSSL_DEFAULT_ZLIB") != NULL)

 				{

 				comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));

 				if (comp != NULL)