Disable SSL compression by default.

Disable SSL compression by default since this appears to be the a likely cause of the currently hyped CRIME attack. Change-Id: I515fcc46f5199acf938e9e880a4345f2d405b2a3 Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> Reviewed-by: Peter Hartmann <phartmann@rim.com>
2012-09-11 22:49:55 +01:00 · 2012-09-11 22:49:55 +01:00 · 5ea896fbc6
commit 5ea896fbc6
parent 3f970c20f9
3 changed files with 11 additions and 3 deletions
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@ -164,8 +164,9 @@ QT_BEGIN_NAMESPACE

    By default, SslOptionDisableEmptyFragments is turned on since this causes
    problems with a large number of servers. SslOptionDisableLegacyRenegotiation
-    is also turned on, since it introduces a security risk. The other options
-    are turned off.
+    is also turned on, since it introduces a security risk.
+    SslOptionDisableCompression is turned on to prevent the attack publicised by
+    CRIME. The other options are turned off.

    Note: Availability of above options depends on the version of the SSL
    backend in use.
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@ -48,7 +48,8 @@
 QT_BEGIN_NAMESPACE

 const QSsl::SslOptions QSslConfigurationPrivate::defaultSslOptions = QSsl::SslOptionDisableEmptyFragments
-                                                                    |QSsl::SslOptionDisableLegacyRenegotiation;
+                                                                    |QSsl::SslOptionDisableLegacyRenegotiation
+                                                                    |QSsl::SslOptionDisableCompression;

 /*!
    \class QSslConfiguration
--- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
@ -2109,9 +2109,15 @@ void tst_QSslSocket::sslOptions()
    if (!QSslSocket::supportsSsl())
        return;

+#ifdef SSL_OP_NO_COMPRESSION
+    QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
+                                                           QSslConfigurationPrivate::defaultSslOptions),
+             long(SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_COMPRESSION));
+#else
    QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
                                                           QSslConfigurationPrivate::defaultSslOptions),
             long(SSL_OP_ALL|SSL_OP_NO_SSLv2));
+#endif

    QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
                                                           QSsl::SslOptionDisableEmptyFragments