Disable SSL compression by default.

author Richard Moore <rich@kde.org>

Tue, 11 Sep 2012 21:49:55 +0000 (22:49 +0100)

committer The Qt Project <gerrit-noreply@qt-project.org>

Tue, 18 Sep 2012 12:12:17 +0000 (14:12 +0200)
author Richard Moore <rich@kde.org>
Tue, 11 Sep 2012 21:49:55 +0000 (22:49 +0100)
committer The Qt Project <gerrit-noreply@qt-project.org>
Tue, 18 Sep 2012 12:12:17 +0000 (14:12 +0200)
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp

index c6f708b..49e2a53 100644 (file)
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -164,8 +164,9 @@ QT_BEGIN_NAMESPACE
  
      By default, SslOptionDisableEmptyFragments is turned on since this causes
      problems with a large number of servers. SslOptionDisableLegacyRenegotiation
-    is also turned on, since it introduces a security risk. The other options
-    are turned off.
+    is also turned on, since it introduces a security risk.
+    SslOptionDisableCompression is turned on to prevent the attack publicised by
+    CRIME. The other options are turned off.
  
      Note: Availability of above options depends on the version of the SSL
      backend in use.
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp

index 9633737..c9691e4 100644 (file)
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -48,7 +48,8 @@
  QT_BEGIN_NAMESPACE
  
  const QSsl::SslOptions QSslConfigurationPrivate::defaultSslOptions = QSsl::SslOptionDisableEmptyFragments
-                                                                    |QSsl::SslOptionDisableLegacyRenegotiation;
+                                                                    |QSsl::SslOptionDisableLegacyRenegotiation
+                                                                    |QSsl::SslOptionDisableCompression;
  
  /*!
      \class QSslConfiguration
diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp

index 350d4c4..b7422a0 100644 (file)
--- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
@@ -2109,9 +2109,15 @@ void tst_QSslSocket::sslOptions()
      if (!QSslSocket::supportsSsl())
          return;
  
+#ifdef SSL_OP_NO_COMPRESSION
+    QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
+                                                           QSslConfigurationPrivate::defaultSslOptions),
+             long(SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_COMPRESSION));
+#else
      QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
                                                             QSslConfigurationPrivate::defaultSslOptions),
               long(SSL_OP_ALL|SSL_OP_NO_SSLv2));
+#endif
  
      QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
                                                             QSsl::SslOptionDisableEmptyFragments
author	Richard Moore <rich@kde.org>
	Tue, 11 Sep 2012 21:49:55 +0000 (22:49 +0100)
committer	The Qt Project <gerrit-noreply@qt-project.org>
	Tue, 18 Sep 2012 12:12:17 +0000 (14:12 +0200)
src/network/ssl/qssl.cpp		patch \| blob \| history
src/network/ssl/qsslconfiguration.cpp		patch \| blob \| history
tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp		patch \| blob \| history