diff options
author | Richard Moore <rich@kde.org> | 2012-09-13 23:13:08 (GMT) |
---|---|---|
committer | The Qt Project <gerrit-noreply@qt-project.org> | 2012-09-19 09:38:58 (GMT) |
commit | d41dc3e101a694dec98d7bbb582d428d209e5401 (patch) | |
tree | b6177842a62fa9605d36cba586e68873a5c16e9e | |
parent | d8f1f7a29c277c9a643fd048b87f530e37773676 (diff) | |
download | Qt-d41dc3e101a694dec98d7bbb582d428d209e5401.zip Qt-d41dc3e101a694dec98d7bbb582d428d209e5401.tar.gz Qt-d41dc3e101a694dec98d7bbb582d428d209e5401.tar.bz2 |
Disable SSL compression by default.
Disable SSL compression by default since this appears to be the a likely
cause of the currently hyped CRIME attack.
This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74
Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <phartmann@rim.com>
-rw-r--r-- | src/network/ssl/qssl.cpp | 5 | ||||
-rw-r--r-- | src/network/ssl/qsslconfiguration.cpp | 4 | ||||
-rw-r--r-- | src/network/ssl/qsslconfiguration_p.h | 4 |
3 files changed, 9 insertions, 4 deletions
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp index 49e086f..9578178 100644 --- a/src/network/ssl/qssl.cpp +++ b/src/network/ssl/qssl.cpp @@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE By default, SslOptionDisableEmptyFragments is turned on since this causes problems with a large number of servers. SslOptionDisableLegacyRenegotiation - is also turned on, since it introduces a security risk. The other options - are turned off. + is also turned on, since it introduces a security risk. + SslOptionDisableCompression is turned on to prevent the attack publicised by + CRIME. The other options are turned off. Note: Availability of above options depends on the version of the SSL backend in use. diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp index 24c7b77..3a05f54 100644 --- a/src/network/ssl/qsslconfiguration.cpp +++ b/src/network/ssl/qsslconfiguration.cpp @@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const d->privateKey.isNull() && d->peerCertificate.isNull() && d->peerCertificateChain.count() == 0 && - d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)); + d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments + |QSsl::SslOptionDisableLegacyRenegotiation + |QSsl::SslOptionDisableCompression)); } /*! diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h index 74f17cd..c36b651 100644 --- a/src/network/ssl/qsslconfiguration_p.h +++ b/src/network/ssl/qsslconfiguration_p.h @@ -83,7 +83,9 @@ public: : protocol(QSsl::SecureProtocols), peerVerifyMode(QSslSocket::AutoVerifyPeer), peerVerifyDepth(0), - sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation) + sslOptions(QSsl::SslOptionDisableEmptyFragments + |QSsl::SslOptionDisableLegacyRenegotiation + |QSsl::SslOptionDisableCompression) { } QSslCertificate peerCertificate; |