From 5ea896fbc63593f424a7dfbb11387599c0025c74 Mon Sep 17 00:00:00 2001
From: Richard Moore <rich@kde.org>
Date: Tue, 11 Sep 2012 22:49:55 +0100
Subject: [PATCH] Disable SSL compression by default.

Disable SSL compression by default since this appears to be the a likely
cause of the currently hyped CRIME attack.

Change-Id: I515fcc46f5199acf938e9e880a4345f2d405b2a3
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Peter Hartmann <phartmann@rim.com>
---
 src/network/ssl/qssl.cpp                             | 5 +++--
 src/network/ssl/qsslconfiguration.cpp                | 3 ++-
 tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp | 6 ++++++
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index c6f708b..49e2a53 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -164,8 +164,9 @@ QT_BEGIN_NAMESPACE
 
     By default, SslOptionDisableEmptyFragments is turned on since this causes
     problems with a large number of servers. SslOptionDisableLegacyRenegotiation
-    is also turned on, since it introduces a security risk. The other options
-    are turned off.
+    is also turned on, since it introduces a security risk.
+    SslOptionDisableCompression is turned on to prevent the attack publicised by
+    CRIME. The other options are turned off.
 
     Note: Availability of above options depends on the version of the SSL
     backend in use.
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index 9633737..c9691e4 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -48,7 +48,8 @@
 QT_BEGIN_NAMESPACE
 
 const QSsl::SslOptions QSslConfigurationPrivate::defaultSslOptions = QSsl::SslOptionDisableEmptyFragments
-                                                                    |QSsl::SslOptionDisableLegacyRenegotiation;
+                                                                    |QSsl::SslOptionDisableLegacyRenegotiation
+                                                                    |QSsl::SslOptionDisableCompression;
 
 /*!
     \class QSslConfiguration
diff --git a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
index 350d4c4..b7422a0 100644
--- a/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/network/ssl/qsslsocket/tst_qsslsocket.cpp
@@ -2109,9 +2109,15 @@ void tst_QSslSocket::sslOptions()
     if (!QSslSocket::supportsSsl())
         return;
 
+#ifdef SSL_OP_NO_COMPRESSION
+    QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
+                                                           QSslConfigurationPrivate::defaultSslOptions),
+             long(SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_COMPRESSION));
+#else
     QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
                                                            QSslConfigurationPrivate::defaultSslOptions),
              long(SSL_OP_ALL|SSL_OP_NO_SSLv2));
+#endif
 
     QCOMPARE(QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SecureProtocols,
                                                            QSsl::SslOptionDisableEmptyFragments
-- 
2.7.4