|
|
edf87b1 |
From d41dc3e101a694dec98d7bbb582d428d209e5401 Mon Sep 17 00:00:00 2001
|
|
|
edf87b1 |
From: Richard Moore <rich@kde.org>
|
|
|
edf87b1 |
Date: Fri, 14 Sep 2012 00:13:08 +0100
|
|
|
edf87b1 |
Subject: [PATCH 41/54] Disable SSL compression by default.
|
|
|
edf87b1 |
|
|
|
edf87b1 |
Disable SSL compression by default since this appears to be the a likely
|
|
|
edf87b1 |
cause of the currently hyped CRIME attack.
|
|
|
edf87b1 |
|
|
|
edf87b1 |
This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74
|
|
|
edf87b1 |
|
|
|
edf87b1 |
Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a
|
|
|
edf87b1 |
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
|
|
edf87b1 |
Reviewed-by: Peter Hartmann <phartmann@rim.com>
|
|
|
edf87b1 |
---
|
|
|
edf87b1 |
src/network/ssl/qssl.cpp | 5 +++--
|
|
|
edf87b1 |
src/network/ssl/qsslconfiguration.cpp | 4 +++-
|
|
|
edf87b1 |
src/network/ssl/qsslconfiguration_p.h | 4 +++-
|
|
|
edf87b1 |
3 files changed, 9 insertions(+), 4 deletions(-)
|
|
|
edf87b1 |
|
|
|
edf87b1 |
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
|
|
|
edf87b1 |
index 49e086f..9578178 100644
|
|
|
edf87b1 |
--- a/src/network/ssl/qssl.cpp
|
|
|
edf87b1 |
+++ b/src/network/ssl/qssl.cpp
|
|
|
edf87b1 |
@@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE
|
|
|
edf87b1 |
|
|
|
edf87b1 |
By default, SslOptionDisableEmptyFragments is turned on since this causes
|
|
|
edf87b1 |
problems with a large number of servers. SslOptionDisableLegacyRenegotiation
|
|
|
edf87b1 |
- is also turned on, since it introduces a security risk. The other options
|
|
|
edf87b1 |
- are turned off.
|
|
|
edf87b1 |
+ is also turned on, since it introduces a security risk.
|
|
|
edf87b1 |
+ SslOptionDisableCompression is turned on to prevent the attack publicised by
|
|
|
edf87b1 |
+ CRIME. The other options are turned off.
|
|
|
edf87b1 |
|
|
|
edf87b1 |
Note: Availability of above options depends on the version of the SSL
|
|
|
edf87b1 |
backend in use.
|
|
|
edf87b1 |
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
|
|
|
edf87b1 |
index 24c7b77..3a05f54 100644
|
|
|
edf87b1 |
--- a/src/network/ssl/qsslconfiguration.cpp
|
|
|
edf87b1 |
+++ b/src/network/ssl/qsslconfiguration.cpp
|
|
|
edf87b1 |
@@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const
|
|
|
edf87b1 |
d->privateKey.isNull() &&
|
|
|
edf87b1 |
d->peerCertificate.isNull() &&
|
|
|
edf87b1 |
d->peerCertificateChain.count() == 0 &&
|
|
|
edf87b1 |
- d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation));
|
|
|
edf87b1 |
+ d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments
|
|
|
edf87b1 |
+ |QSsl::SslOptionDisableLegacyRenegotiation
|
|
|
edf87b1 |
+ |QSsl::SslOptionDisableCompression));
|
|
|
edf87b1 |
}
|
|
|
edf87b1 |
|
|
|
edf87b1 |
/*!
|
|
|
edf87b1 |
diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
|
|
|
edf87b1 |
index 74f17cd..c36b651 100644
|
|
|
edf87b1 |
--- a/src/network/ssl/qsslconfiguration_p.h
|
|
|
edf87b1 |
+++ b/src/network/ssl/qsslconfiguration_p.h
|
|
|
edf87b1 |
@@ -83,7 +83,9 @@ public:
|
|
|
edf87b1 |
: protocol(QSsl::SecureProtocols),
|
|
|
edf87b1 |
peerVerifyMode(QSslSocket::AutoVerifyPeer),
|
|
|
edf87b1 |
peerVerifyDepth(0),
|
|
|
edf87b1 |
- sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)
|
|
|
edf87b1 |
+ sslOptions(QSsl::SslOptionDisableEmptyFragments
|
|
|
edf87b1 |
+ |QSsl::SslOptionDisableLegacyRenegotiation
|
|
|
edf87b1 |
+ |QSsl::SslOptionDisableCompression)
|
|
|
edf87b1 |
{ }
|
|
|
edf87b1 |
|
|
|
edf87b1 |
QSslCertificate peerCertificate;
|
|
|
edf87b1 |
--
|
|
|
edf87b1 |
1.7.12
|
|
|
edf87b1 |
|