Disable SSL compression by default.

Disable SSL compression by default since this appears to be the a likely cause of the currently hyped CRIME attack. This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74 Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> Reviewed-by: Peter Hartmann <phartmann@rim.com>
author: Richard Moore <rich@kde.org> 2012-09-13 23:13:08 (GMT)
committer: The Qt Project <gerrit-noreply@qt-project.org> 2012-09-19 09:38:58 (GMT)
commit: d41dc3e101a694dec98d7bbb582d428d209e5401 (patch)
tree: b6177842a62fa9605d36cba586e68873a5c16e9e
parent: d8f1f7a29c277c9a643fd048b87f530e37773676 (diff)
download: Qt-d41dc3e101a694dec98d7bbb582d428d209e5401.zip
Qt-d41dc3e101a694dec98d7bbb582d428d209e5401.tar.gz
Qt-d41dc3e101a694dec98d7bbb582d428d209e5401.tar.bz2
3 files changed, 9 insertions, 4 deletions
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index 49e086f..9578178 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE
 
     By default, SslOptionDisableEmptyFragments is turned on since this causes
     problems with a large number of servers. SslOptionDisableLegacyRenegotiation
-    is also turned on, since it introduces a security risk. The other options
-    are turned off.
+    is also turned on, since it introduces a security risk.
+    SslOptionDisableCompression is turned on to prevent the attack publicised by
+    CRIME. The other options are turned off.
 
     Note: Availability of above options depends on the version of the SSL
     backend in use.
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 24c7b77..3a05f54 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const
             d->privateKey.isNull() &&
             d->peerCertificate.isNull() &&
             d->peerCertificateChain.count() == 0 &&
-            d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation));
+            d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments
+                              |QSsl::SslOptionDisableLegacyRenegotiation
+                              |QSsl::SslOptionDisableCompression));
 }
 
 /*!
diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
index 74f17cd..c36b651 100644
--- a/src/network/ssl/qsslconfiguration_p.h
+++ b/src/network/ssl/qsslconfiguration_p.h
@@ -83,7 +83,9 @@ public:
         : protocol(QSsl::SecureProtocols),
           peerVerifyMode(QSslSocket::AutoVerifyPeer),
           peerVerifyDepth(0),
-          sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)
+          sslOptions(QSsl::SslOptionDisableEmptyFragments
+                     |QSsl::SslOptionDisableLegacyRenegotiation
+                     |QSsl::SslOptionDisableCompression)
     { }
 
     QSslCertificate peerCertificate;
author	Richard Moore <rich@kde.org>	2012-09-13 23:13:08 (GMT)
committer	The Qt Project <gerrit-noreply@qt-project.org>	2012-09-19 09:38:58 (GMT)
commit	d41dc3e101a694dec98d7bbb582d428d209e5401 (patch)
tree	b6177842a62fa9605d36cba586e68873a5c16e9e
parent	d8f1f7a29c277c9a643fd048b87f530e37773676 (diff)
download	Qt-d41dc3e101a694dec98d7bbb582d428d209e5401.zip Qt-d41dc3e101a694dec98d7bbb582d428d209e5401.tar.gz Qt-d41dc3e101a694dec98d7bbb582d428d209e5401.tar.bz2