Added ssl context option, "disable_compression"

rdlowrey · lstrojny · commit 4a01ddfb5569 · 2013-01-31T00:31:10.000+01:00
The CRIME attack vector exploits TLS compression. This patch adds a stream context option allowing servers to disable TLS compression for versions of OpenSSL >= 1.0.0 (which first introduced the SSL_OP_NO_COMPRESSION option). A summary rundown of the CRIME attack can be found at https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls Thanks to @DaveRandom for pointing out the relevant section of code.
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
@@ -395,6 +395,18 @@ static inline int php_openssl_setup_crypto(php_stream *stream,
 	}
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+	{
+		zval **val;
+		
+		if (stream->context && SUCCESS == php_stream_context_get_option(
+					stream->context, "ssl", "disable_compression", &val) &&
+				zval_is_true(*val)) {
+			SSL_CTX_set_options(sslsock->ctx, SSL_OP_NO_COMPRESSION);
+		}
+	}
+#endif
+
 	sslsock->ssl_handle = php_SSL_new_from_context(sslsock->ctx, stream TSRMLS_CC);
 	if (sslsock->ssl_handle == NULL) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to create an SSL handle");
