Skip to content
Permalink
Browse files

Added ssl context option, "disable_compression"

The CRIME attack vector exploits TLS compression. This patch adds a stream context option
allowing servers to disable TLS compression for versions of OpenSSL >= 1.0.0 (which first
introduced the SSL_OP_NO_COMPRESSION option). A summary rundown of the CRIME attack can
be found at https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls

Thanks to @DaveRandom for pointing out the relevant section of code.
  • Loading branch information...
rdlowrey authored and lstrojny committed Jan 30, 2013
1 parent bb4d11b commit 4a01ddfb5569da1b87dd4cac95c3f709fb607396
Showing with 12 additions and 0 deletions.
  1. +12 −0 ext/openssl/xp_ssl.c
@@ -395,6 +395,18 @@ static inline int php_openssl_setup_crypto(php_stream *stream,
}
#endif

#if OPENSSL_VERSION_NUMBER >= 0x10000000L
{
zval **val;

if (stream->context && SUCCESS == php_stream_context_get_option(
stream->context, "ssl", "disable_compression", &val) &&
zval_is_true(*val)) {
SSL_CTX_set_options(sslsock->ctx, SSL_OP_NO_COMPRESSION);
}
}
#endif

sslsock->ssl_handle = php_SSL_new_from_context(sslsock->ctx, stream TSRMLS_CC);
if (sslsock->ssl_handle == NULL) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to create an SSL handle");

0 comments on commit 4a01ddf

Please sign in to comment.
You can’t perform that action at this time.