Disable SSL compression by default.

Disable SSL compression by default since this appears to be the a likely
cause of the currently hyped CRIME attack.

Change-Id: I515fcc46f5199acf938e9e880a4345f2d405b2a3
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <phartmann@rim.com>
This commit is contained in:
Richard Moore 2012-09-11 22:49:55 +01:00 committed by The Qt Project
parent 3f970c20f9
commit 5ea896fbc6
3 changed files with 11 additions and 3 deletions

View File

@ -164,8 +164,9 @@ QT_BEGIN_NAMESPACE
By default, SslOptionDisableEmptyFragments is turned on since this causes
problems with a large number of servers. SslOptionDisableLegacyRenegotiation
is also turned on, since it introduces a security risk. The other options
are turned off.
is also turned on, since it introduces a security risk.
SslOptionDisableCompression is turned on to prevent the attack publicised by
CRIME. The other options are turned off.
Note: Availability of above options depends on the version of the SSL
backend in use.

View File

@ -48,7 +48,8 @@
QT_BEGIN_NAMESPACE
const QSsl::SslOptions QSslConfigurationPrivate::defaultSslOptions = QSsl::SslOptionDisableEmptyFragments
|QSsl::SslOptionDisableLegacyRenegotiation;
|QSsl::SslOptionDisableLegacyRenegotiation
|QSsl::SslOptionDisableCompression;
/*!
\class QSslConfiguration

View File

@ -2109,9 +2109,15 @@ void tst_QSslSocket::sslOptions()
if (!QSslSocket::supportsSsl())
return;
#ifdef SSL_OP_NO_COMPRESSION
QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
QSslConfigurationPrivate::defaultSslOptions),
long(SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_COMPRESSION));
#else
QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
QSslConfigurationPrivate::defaultSslOptions),
long(SSL_OP_ALL|SSL_OP_NO_SSLv2));
#endif
QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
QSsl::SslOptionDisableEmptyFragments