summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRichard Moore <rich@kde.org>2012-09-13 23:13:08 (GMT)
committerThe Qt Project <gerrit-noreply@qt-project.org>2012-09-19 09:38:58 (GMT)
commitd41dc3e101a694dec98d7bbb582d428d209e5401 (patch)
treeb6177842a62fa9605d36cba586e68873a5c16e9e
parentd8f1f7a29c277c9a643fd048b87f530e37773676 (diff)
downloadQt-d41dc3e101a694dec98d7bbb582d428d209e5401.zip
Qt-d41dc3e101a694dec98d7bbb582d428d209e5401.tar.gz
Qt-d41dc3e101a694dec98d7bbb582d428d209e5401.tar.bz2
Disable SSL compression by default.
Disable SSL compression by default since this appears to be the a likely cause of the currently hyped CRIME attack. This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74 Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> Reviewed-by: Peter Hartmann <phartmann@rim.com>
-rw-r--r--src/network/ssl/qssl.cpp5
-rw-r--r--src/network/ssl/qsslconfiguration.cpp4
-rw-r--r--src/network/ssl/qsslconfiguration_p.h4
3 files changed, 9 insertions, 4 deletions
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index 49e086f..9578178 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE
By default, SslOptionDisableEmptyFragments is turned on since this causes
problems with a large number of servers. SslOptionDisableLegacyRenegotiation
- is also turned on, since it introduces a security risk. The other options
- are turned off.
+ is also turned on, since it introduces a security risk.
+ SslOptionDisableCompression is turned on to prevent the attack publicised by
+ CRIME. The other options are turned off.
Note: Availability of above options depends on the version of the SSL
backend in use.
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 24c7b77..3a05f54 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const
d->privateKey.isNull() &&
d->peerCertificate.isNull() &&
d->peerCertificateChain.count() == 0 &&
- d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation));
+ d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments
+ |QSsl::SslOptionDisableLegacyRenegotiation
+ |QSsl::SslOptionDisableCompression));
}
/*!
diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
index 74f17cd..c36b651 100644
--- a/src/network/ssl/qsslconfiguration_p.h
+++ b/src/network/ssl/qsslconfiguration_p.h
@@ -83,7 +83,9 @@ public:
: protocol(QSsl::SecureProtocols),
peerVerifyMode(QSslSocket::AutoVerifyPeer),
peerVerifyDepth(0),
- sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)
+ sslOptions(QSsl::SslOptionDisableEmptyFragments
+ |QSsl::SslOptionDisableLegacyRenegotiation
+ |QSsl::SslOptionDisableCompression)
{ }
QSslCertificate peerCertificate;