Disable SSL compression by default.
Disable SSL compression by default since this appears to be the a likely cause of the currently hyped CRIME attack. Change-Id: I515fcc46f5199acf938e9e880a4345f2d405b2a3 Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> Reviewed-by: Peter Hartmann <phartmann@rim.com>
This commit is contained in:
parent
3f970c20f9
commit
5ea896fbc6
@ -164,8 +164,9 @@ QT_BEGIN_NAMESPACE
|
||||
|
||||
By default, SslOptionDisableEmptyFragments is turned on since this causes
|
||||
problems with a large number of servers. SslOptionDisableLegacyRenegotiation
|
||||
is also turned on, since it introduces a security risk. The other options
|
||||
are turned off.
|
||||
is also turned on, since it introduces a security risk.
|
||||
SslOptionDisableCompression is turned on to prevent the attack publicised by
|
||||
CRIME. The other options are turned off.
|
||||
|
||||
Note: Availability of above options depends on the version of the SSL
|
||||
backend in use.
|
||||
|
@ -48,7 +48,8 @@
|
||||
QT_BEGIN_NAMESPACE
|
||||
|
||||
const QSsl::SslOptions QSslConfigurationPrivate::defaultSslOptions = QSsl::SslOptionDisableEmptyFragments
|
||||
|QSsl::SslOptionDisableLegacyRenegotiation;
|
||||
|QSsl::SslOptionDisableLegacyRenegotiation
|
||||
|QSsl::SslOptionDisableCompression;
|
||||
|
||||
/*!
|
||||
\class QSslConfiguration
|
||||
|
@ -2109,9 +2109,15 @@ void tst_QSslSocket::sslOptions()
|
||||
if (!QSslSocket::supportsSsl())
|
||||
return;
|
||||
|
||||
#ifdef SSL_OP_NO_COMPRESSION
|
||||
QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
|
||||
QSslConfigurationPrivate::defaultSslOptions),
|
||||
long(SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_COMPRESSION));
|
||||
#else
|
||||
QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
|
||||
QSslConfigurationPrivate::defaultSslOptions),
|
||||
long(SSL_OP_ALL|SSL_OP_NO_SSLv2));
|
||||
#endif
|
||||
|
||||
QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
|
||||
QSsl::SslOptionDisableEmptyFragments
|
||||
|
Loading…
Reference in New Issue
Block a user