summaryrefslogtreecommitdiff
path: root/extra/qt/disable-ssl-compression.patch
blob: 443af57f341e03540f4932a7b9d93bd722173586 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
From d41dc3e101a694dec98d7bbb582d428d209e5401 Mon Sep 17 00:00:00 2001
From: Richard Moore <rich@kde.org>
Date: Fri, 14 Sep 2012 00:13:08 +0100
Subject: [PATCH] Disable SSL compression by default.

Disable SSL compression by default since this appears to be the a likely
cause of the currently hyped CRIME attack.

This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74

Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <phartmann@rim.com>
---
 src/network/ssl/qssl.cpp              |    5 +++--
 src/network/ssl/qsslconfiguration.cpp |    4 +++-
 src/network/ssl/qsslconfiguration_p.h |    4 +++-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index 49e086f..9578178 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE
 
     By default, SslOptionDisableEmptyFragments is turned on since this causes
     problems with a large number of servers. SslOptionDisableLegacyRenegotiation
-    is also turned on, since it introduces a security risk. The other options
-    are turned off.
+    is also turned on, since it introduces a security risk.
+    SslOptionDisableCompression is turned on to prevent the attack publicised by
+    CRIME. The other options are turned off.
 
     Note: Availability of above options depends on the version of the SSL
     backend in use.
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 24c7b77..3a05f54 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const
             d->privateKey.isNull() &&
             d->peerCertificate.isNull() &&
             d->peerCertificateChain.count() == 0 &&
-            d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation));
+            d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments
+                              |QSsl::SslOptionDisableLegacyRenegotiation
+                              |QSsl::SslOptionDisableCompression));
 }
 
 /*!
diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
index 74f17cd..c36b651 100644
--- a/src/network/ssl/qsslconfiguration_p.h
+++ b/src/network/ssl/qsslconfiguration_p.h
@@ -83,7 +83,9 @@ public:
         : protocol(QSsl::SecureProtocols),
           peerVerifyMode(QSslSocket::AutoVerifyPeer),
           peerVerifyDepth(0),
-          sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)
+          sslOptions(QSsl::SslOptionDisableEmptyFragments
+                     |QSsl::SslOptionDisableLegacyRenegotiation
+                     |QSsl::SslOptionDisableCompression)
     { }
 
     QSslCertificate peerCertificate;
-- 
1.7.10