root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Restore -no_comp switch for backwards compatible behaviour 

Reviewed-by: Emilia Käsper <emilia@openssl.org>
This commit is contained in:
Viktor Dukhovni 2016-02-03 16:45:39 -05:00
parent 424d5db248
commit cc5a9ba485
6 changed files with 48 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/apps.h
View File

@ -285,11 +285,11 @@ void wait_for_async(SSL *s);
# define OPT_S_ENUM \ # define OPT_S_ENUM \
OPT_S__FIRST=3000, \ OPT_S__FIRST=3000, \
OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \ OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
OPT_S_BUGS, OPT_S_COMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \ OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \ OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \ OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \ OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
OPT_S_DHPARAM, OPT_S_DEBUGBROKE, \ OPT_S_DHPARAM, OPT_S_DEBUGBROKE, OPT_S_COMP, \
OPT_S__LAST OPT_S__LAST
# define OPT_S_OPTIONS \ # define OPT_S_OPTIONS \
@ -298,6 +298,7 @@ void wait_for_async(SSL *s);
{"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \ {"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \
{"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \ {"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \
{"bugs", OPT_S_BUGS, '-' }, \ {"bugs", OPT_S_BUGS, '-' }, \
{"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
{"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \ {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
{"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \ {"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \
{"no_ticket", OPT_S_NOTICKET, '-' }, \ {"no_ticket", OPT_S_NOTICKET, '-' }, \
@ -327,6 +328,7 @@ void wait_for_async(SSL *s);
case OPT_S_NOTLS1_1: \ case OPT_S_NOTLS1_1: \
case OPT_S_NOTLS1_2: \ case OPT_S_NOTLS1_2: \
case OPT_S_BUGS: \ case OPT_S_BUGS: \
case OPT_S_NO_COMP: \
case OPT_S_COMP: \ case OPT_S_COMP: \
case OPT_S_ECDHSINGLE: \ case OPT_S_ECDHSINGLE: \
case OPT_S_NOTICKET: \ case OPT_S_NOTICKET: \

15
doc/apps/s_client.pod
View File

@ -71,6 +71,8 @@ B<openssl> B<s_client>
[B<-fallback_scsv>] [B<-fallback_scsv>]
[B<-async>] [B<-async>]
[B<-bugs>] [B<-bugs>]
[B<-comp>]
[B<-no_comp>]
[B<-cipher cipherlist>] [B<-cipher cipherlist>]
[B<-serverpref>] [B<-serverpref>]
[B<-starttls protocol>] [B<-starttls protocol>]
@ -326,6 +328,19 @@ is also used via the B<-engine> option. For test purposes the dummy async engine
there are several known bug in SSL and TLS implementations. Adding this there are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds. option enables various workarounds.
=item B<-comp>
Enables support for SSL/TLS compression.
This option was introduced in OpenSSL 1.1.0.
TLS compression is not recommended and is off by default as of
OpenSSL 1.1.0.
=item B<-no_comp>
Disables support for SSL/TLS compression.
TLS compression is not recommended and is off by default as of
OpenSSL 1.1.0.
=item B<-brief> =item B<-brief>
only provide a brief summary of connection parameters instead of the only provide a brief summary of connection parameters instead of the

15
doc/apps/s_server.pod
View File

@ -77,6 +77,8 @@ B<openssl> B<s_server>
[B<-no_tls1>] [B<-no_tls1>]
[B<-no_dhe>] [B<-no_dhe>]
[B<-bugs>] [B<-bugs>]
[B<-comp>]
[B<-no_comp>]
[B<-brief>] [B<-brief>]
[B<-www>] [B<-www>]
[B<-WWW>] [B<-WWW>]
@ -313,6 +315,19 @@ is also used via the B<-engine> option. For test purposes the dummy async engine
there are several known bug in SSL and TLS implementations. Adding this there are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds. option enables various workarounds.
=item B<-comp>
Enable negotiation of TLS compression.
This option was introduced in OpenSSL 1.1.0.
TLS compression is not recommended and is off by default as of
OpenSSL 1.1.0.
=item B<-no_comp>
Disable negotiation of TLS compression.
TLS compression is not recommended and is off by default as of
OpenSSL 1.1.0.
=item B<-brief> =item B<-brief>
only provide a brief summary of connection parameters instead of the only provide a brief summary of connection parameters instead of the

11
doc/ssl/SSL_CONF_cmd.pod
View File

@ -133,7 +133,16 @@ Various bug workarounds are set, same as setting B<SSL_OP_ALL>.
=item B<-comp> =item B<-comp>
Enables support for SSL/TLS compression, same as clearing B<SSL_OP_NO_COMPRESSION>. Enables support for SSL/TLS compression, same as clearing
B<SSL_OP_NO_COMPRESSION>.
This command was introduced in OpenSSL 1.1.0.
As of OpenSSL 1.1.0, compression is off by default.
=item B<-no_comp>
Disables support for SSL/TLS compression, same as setting
B<SSL_OP_NO_COMPRESSION>.
As of OpenSSL 1.1.0, compression is off by default.
=item B<-no_ticket> =item B<-no_ticket>

4
ssl/ssl_conf.c
View File

@ -581,6 +581,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
SSL_CONF_CMD_SWITCH("no_tls1_1", 0), SSL_CONF_CMD_SWITCH("no_tls1_1", 0),
SSL_CONF_CMD_SWITCH("no_tls1_2", 0), SSL_CONF_CMD_SWITCH("no_tls1_2", 0),
SSL_CONF_CMD_SWITCH("bugs", 0), SSL_CONF_CMD_SWITCH("bugs", 0),
SSL_CONF_CMD_SWITCH("no_comp", 0),
SSL_CONF_CMD_SWITCH("comp", 0), SSL_CONF_CMD_SWITCH("comp", 0),
SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("no_ticket", 0), SSL_CONF_CMD_SWITCH("no_ticket", 0),
@ -640,7 +641,8 @@ static const ssl_switch_tbl ssl_cmd_switches[] = {
{SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */ {SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */
{SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */ {SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */
{SSL_OP_ALL, 0}, /* bugs */ {SSL_OP_ALL, 0}, /* bugs */
{SSL_OP_NO_COMPRESSION, 1}, /* comp */ {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
{SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */
{SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */ {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
{SSL_OP_NO_TICKET, 0}, /* no_ticket */ {SSL_OP_NO_TICKET, 0}, /* no_ticket */
{SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */ {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */

2
util/TLSProxy/Proxy.pm
View File

@ -183,7 +183,7 @@ sub start
or die "Failed to redirect stdout: $!"; or die "Failed to redirect stdout: $!";
open(STDERR, ">&STDOUT"); open(STDERR, ">&STDOUT");
my $execcmd = $self->execute my $execcmd = $self->execute
." s_server -rev -engine ossltest -accept " ." s_server -no_comp -rev -engine ossltest -accept "
.($self->server_port) .($self->server_port)
." -cert ".$self->cert." -naccept ".$self->serverconnects; ." -cert ".$self->cert." -naccept ".$self->serverconnects;
if ($self->ciphers ne "") { if ($self->ciphers ne "") {