[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#691894: unblock: apache2/2.2.22-12

Err, the diff looks bad. This one is a better diff.



-- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D

diff --git a/debian/changelog b/debian/changelog
index 665b678..3d4d908 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+apache2 (2.2.22-12) unstable; urgency=low
+
+  * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is
+    "off". This mitigates impact of CRIME attacks. Fixes:
+    - "handling the CRIME attack" (Closes: #689936)
+    - "make it possible to disable ssl compression in apache2 mod_ssl"
+      (Closes: #674142)
+
+ -- Arno Töll <arno@debian.org>  Wed, 31 Oct 2012 00:23:59 +0100
+
 apache2 (2.2.22-11) unstable; urgency=low
 
   * Be more careful regarding link attacks when purging the cache disk
diff --git a/debian/patches/disable-ssl-compression.patch b/debian/patches/disable-ssl-compression.patch
new file mode 100644
index 0000000..6878f68
--- /dev/null
+++ b/debian/patches/disable-ssl-compression.patch
@@ -0,0 +1,121 @@
+From: Bjoern Jacke <debianbugs@j3e.de>
+Subject: Allow mod_ssl to disable ssl compression
+
+Patch submitted upstream, merged into 2.2.24. This patch adds a "Compression
+on|off" directive to mod_ssl.
+
+Origin: upstream, https://issues.apache.org/bugzilla/attachment.cgi?id=28804
+Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142
+
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -146,6 +146,9 @@
+                 "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+     SSL_CMD_SRV(HonorCipherOrder, FLAG,
+                 "Use the server's cipher ordering preference")
++    SSL_CMD_SRV(Compression, FLAG,
++                "Enable SSL level compression"
++                "(`on', `off')")
+     SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+                 "Enable support for insecure renegotiation")
+     SSL_CMD_ALL(UserName, TAKE1,
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -178,6 +178,9 @@
+ #ifdef HAVE_FIPS
+     sc->fips                   = UNSET;
+ #endif
++#ifndef OPENSSL_NO_COMP
++    sc->compression            = UNSET;
++#endif
+ 
+     modssl_ctx_init_proxy(sc, p);
+ 
+@@ -275,6 +278,9 @@
+ #ifdef HAVE_FIPS
+     cfgMergeBool(fips);
+ #endif
++#ifndef OPENSSL_NO_COMP
++    cfgMergeBool(compression);
++#endif
+ 
+     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
+ 
+@@ -708,6 +714,23 @@
+ 
+ }
+ 
++const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
++{
++#if !defined(OPENSSL_NO_COMP)
++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++#ifndef SSL_OP_NO_COMPRESSION
++    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
++    if (err)
++        return "This version of openssl does not support configuring "
++               "compression within <VirtualHost> sections.";
++#endif
++    sc->compression = flag ? TRUE : FALSE;
++    return NULL;
++#else
++    return "Setting Compression mode unsupported; not implemented by the SSL library";
++#endif
++}
++
+ const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+ {
+ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -532,6 +532,18 @@
+     }
+ #endif
+ 
++
++#ifndef OPENSSL_NO_COMP
++    if (sc->compression != TRUE) {
++#ifdef SSL_OP_NO_COMPRESSION
++        /* OpenSSL >= 1.0 only */
++        SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
++#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
++        sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
++#endif
++    }
++#endif
++
+ #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+     if (sc->insecure_reneg == TRUE) {
+         SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -64,6 +64,11 @@
+ #define HAVE_TLSV1_X
+ #endif
+ 
++#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
++    && OPENSSL_VERSION_NUMBER < 0x00908000L
++#define OPENSSL_NO_COMP
++#endif
++
+ #include "ssl_util_ssl.h"
+ 
+ /** The #ifdef macros are only defined AFTER including the above
+@@ -495,6 +500,9 @@
+ #ifdef HAVE_FIPS
+     BOOL             fips;
+ #endif
++#ifndef OPENSSL_NO_COMP
++    BOOL             compression;
++#endif
+ };
+ 
+ /**
+@@ -551,6 +559,7 @@
+ const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
++const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
+ const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
diff --git a/debian/patches/series b/debian/patches/series
index 6113b65..e7b9b3f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -32,3 +32,4 @@
 #202_suexec-custom
 dbmmanage-perl-510.patch
 SSLProtocol-tls11-12.2.patch
+disable-ssl-compression.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: