Err, the diff looks bad. This one is a better diff. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D
diff --git a/debian/changelog b/debian/changelog index 665b678..3d4d908 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +apache2 (2.2.22-12) unstable; urgency=low + + * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is + "off". This mitigates impact of CRIME attacks. Fixes: + - "handling the CRIME attack" (Closes: #689936) + - "make it possible to disable ssl compression in apache2 mod_ssl" + (Closes: #674142) + + -- Arno Töll <arno@debian.org> Wed, 31 Oct 2012 00:23:59 +0100 + apache2 (2.2.22-11) unstable; urgency=low * Be more careful regarding link attacks when purging the cache disk diff --git a/debian/patches/disable-ssl-compression.patch b/debian/patches/disable-ssl-compression.patch new file mode 100644 index 0000000..6878f68 --- /dev/null +++ b/debian/patches/disable-ssl-compression.patch @@ -0,0 +1,121 @@ +From: Bjoern Jacke <debianbugs@j3e.de> +Subject: Allow mod_ssl to disable ssl compression + +Patch submitted upstream, merged into 2.2.24. This patch adds a "Compression +on|off" directive to mod_ssl. + +Origin: upstream, https://issues.apache.org/bugzilla/attachment.cgi?id=28804 +Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142 + +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -146,6 +146,9 @@ + "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)") + SSL_CMD_SRV(HonorCipherOrder, FLAG, + "Use the server's cipher ordering preference") ++ SSL_CMD_SRV(Compression, FLAG, ++ "Enable SSL level compression" ++ "(`on', `off')") + SSL_CMD_SRV(InsecureRenegotiation, FLAG, + "Enable support for insecure renegotiation") + SSL_CMD_ALL(UserName, TAKE1, +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -178,6 +178,9 @@ + #ifdef HAVE_FIPS + sc->fips = UNSET; + #endif ++#ifndef OPENSSL_NO_COMP ++ sc->compression = UNSET; ++#endif + + modssl_ctx_init_proxy(sc, p); + +@@ -275,6 +278,9 @@ + #ifdef HAVE_FIPS + cfgMergeBool(fips); + #endif ++#ifndef OPENSSL_NO_COMP ++ cfgMergeBool(compression); ++#endif + + modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); + +@@ -708,6 +714,23 @@ + + } + ++const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag) ++{ ++#if !defined(OPENSSL_NO_COMP) ++ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); ++#ifndef SSL_OP_NO_COMPRESSION ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err) ++ return "This version of openssl does not support configuring " ++ "compression within <VirtualHost> sections."; ++#endif ++ sc->compression = flag ? TRUE : FALSE; ++ return NULL; ++#else ++ return "Setting Compression mode unsupported; not implemented by the SSL library"; ++#endif ++} ++ + const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag) + { + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -532,6 +532,18 @@ + } + #endif + ++ ++#ifndef OPENSSL_NO_COMP ++ if (sc->compression != TRUE) { ++#ifdef SSL_OP_NO_COMPRESSION ++ /* OpenSSL >= 1.0 only */ ++ SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); ++#elif OPENSSL_VERSION_NUMBER >= 0x00908000L ++ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); ++#endif ++ } ++#endif ++ + #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + if (sc->insecure_reneg == TRUE) { + SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -64,6 +64,11 @@ + #define HAVE_TLSV1_X + #endif + ++#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ ++ && OPENSSL_VERSION_NUMBER < 0x00908000L ++#define OPENSSL_NO_COMP ++#endif ++ + #include "ssl_util_ssl.h" + + /** The #ifdef macros are only defined AFTER including the above +@@ -495,6 +500,9 @@ + #ifdef HAVE_FIPS + BOOL fips; + #endif ++#ifndef OPENSSL_NO_COMP ++ BOOL compression; ++#endif + }; + + /** +@@ -551,6 +559,7 @@ + const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); + const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); + const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag); ++const char *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag); + const char *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *); + const char *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *); + const char *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *); diff --git a/debian/patches/series b/debian/patches/series index 6113b65..e7b9b3f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -32,3 +32,4 @@ #202_suexec-custom dbmmanage-perl-510.patch SSLProtocol-tls11-12.2.patch +disable-ssl-compression.patch
Attachment:
signature.asc
Description: OpenPGP digital signature