Restore -no_comp switch for backwards compatible behaviour
Reviewed-by: Emilia Käsper <emilia@openssl.org>
diff --git a/apps/apps.h b/apps/apps.h
index 52e57f8..15a044e 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -285,11 +285,11 @@
# define OPT_S_ENUM \
OPT_S__FIRST=3000, \
OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
- OPT_S_BUGS, OPT_S_COMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
+ OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
- OPT_S_DHPARAM, OPT_S_DEBUGBROKE, \
+ OPT_S_DHPARAM, OPT_S_DEBUGBROKE, OPT_S_COMP, \
OPT_S__LAST
# define OPT_S_OPTIONS \
@@ -298,6 +298,7 @@
{"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \
{"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \
{"bugs", OPT_S_BUGS, '-' }, \
+ {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
{"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
{"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \
{"no_ticket", OPT_S_NOTICKET, '-' }, \
@@ -327,6 +328,7 @@
case OPT_S_NOTLS1_1: \
case OPT_S_NOTLS1_2: \
case OPT_S_BUGS: \
+ case OPT_S_NO_COMP: \
case OPT_S_COMP: \
case OPT_S_ECDHSINGLE: \
case OPT_S_NOTICKET: \
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 2d5ef41..e9f3280 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -71,6 +71,8 @@
[B<-fallback_scsv>]
[B<-async>]
[B<-bugs>]
+[B<-comp>]
+[B<-no_comp>]
[B<-cipher cipherlist>]
[B<-serverpref>]
[B<-starttls protocol>]
@@ -326,6 +328,19 @@
there are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds.
+=item B<-comp>
+
+Enables support for SSL/TLS compression.
+This option was introduced in OpenSSL 1.1.0.
+TLS compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+
+=item B<-no_comp>
+
+Disables support for SSL/TLS compression.
+TLS compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+
=item B<-brief>
only provide a brief summary of connection parameters instead of the
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 59d600d..b9ef5e6 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -77,6 +77,8 @@
[B<-no_tls1>]
[B<-no_dhe>]
[B<-bugs>]
+[B<-comp>]
+[B<-no_comp>]
[B<-brief>]
[B<-www>]
[B<-WWW>]
@@ -313,6 +315,19 @@
there are several known bug in SSL and TLS implementations. Adding this
option enables various workarounds.
+=item B<-comp>
+
+Enable negotiation of TLS compression.
+This option was introduced in OpenSSL 1.1.0.
+TLS compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+
+=item B<-no_comp>
+
+Disable negotiation of TLS compression.
+TLS compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+
=item B<-brief>
only provide a brief summary of connection parameters instead of the
diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
index 6947865..b3c9df9 100644
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@@ -133,7 +133,16 @@
=item B<-comp>
-Enables support for SSL/TLS compression, same as clearing B<SSL_OP_NO_COMPRESSION>.
+Enables support for SSL/TLS compression, same as clearing
+B<SSL_OP_NO_COMPRESSION>.
+This command was introduced in OpenSSL 1.1.0.
+As of OpenSSL 1.1.0, compression is off by default.
+
+=item B<-no_comp>
+
+Disables support for SSL/TLS compression, same as setting
+B<SSL_OP_NO_COMPRESSION>.
+As of OpenSSL 1.1.0, compression is off by default.
=item B<-no_ticket>
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index d0935cf..1846155 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -581,6 +581,7 @@
SSL_CONF_CMD_SWITCH("no_tls1_1", 0),
SSL_CONF_CMD_SWITCH("no_tls1_2", 0),
SSL_CONF_CMD_SWITCH("bugs", 0),
+ SSL_CONF_CMD_SWITCH("no_comp", 0),
SSL_CONF_CMD_SWITCH("comp", 0),
SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
SSL_CONF_CMD_SWITCH("no_ticket", 0),
@@ -640,7 +641,8 @@
{SSL_OP_NO_TLSv1_1, 0}, /* no_tls1_1 */
{SSL_OP_NO_TLSv1_2, 0}, /* no_tls1_2 */
{SSL_OP_ALL, 0}, /* bugs */
- {SSL_OP_NO_COMPRESSION, 1}, /* comp */
+ {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
+ {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */
{SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
{SSL_OP_NO_TICKET, 0}, /* no_ticket */
{SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */
diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm
index 283c765..45871b8 100644
--- a/util/TLSProxy/Proxy.pm
+++ b/util/TLSProxy/Proxy.pm
@@ -183,7 +183,7 @@
or die "Failed to redirect stdout: $!";
open(STDERR, ">&STDOUT");
my $execcmd = $self->execute
- ." s_server -rev -engine ossltest -accept "
+ ." s_server -no_comp -rev -engine ossltest -accept "
.($self->server_port)
." -cert ".$self->cert." -naccept ".$self->serverconnects;
if ($self->ciphers ne "") {
