Restore -no_comp switch for backwards compatible behaviour

Reviewed-by: N Emilia Käsper <emilia@openssl.org>

Restore -no_comp switch for backwards compatible behaviour
Reviewed-by: N Emilia Käsper <emilia@openssl.org>
cc5a9ba4 · Viktor Dukhovni · 424d5db2 · cc5a9ba4 · cc5a9ba4 · cc5a9ba4
6 changed file
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -285,11 +285,11 @@ void wait_for_async(SSL *s);
 # define OPT_S_ENUM \
        OPT_S__FIRST=3000, \
        OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
-        OPT_S_BUGS, OPT_S_COMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
+        OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
        OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
        OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
        OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
-        OPT_S_DHPARAM, OPT_S_DEBUGBROKE, \
+        OPT_S_DHPARAM, OPT_S_DEBUGBROKE, OPT_S_COMP, \
        OPT_S__LAST

 # define OPT_S_OPTIONS \
@@ -298,6 +298,7 @@ void wait_for_async(SSL *s);
        {"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \
        {"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \
        {"bugs", OPT_S_BUGS, '-' }, \
+        {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
        {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
        {"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \
        {"no_ticket", OPT_S_NOTICKET, '-' }, \
@@ -327,6 +328,7 @@ void wait_for_async(SSL *s);
        case OPT_S_NOTLS1_1: \
        case OPT_S_NOTLS1_2: \
        case OPT_S_BUGS: \
+        case OPT_S_NO_COMP: \
        case OPT_S_COMP: \
        case OPT_S_ECDHSINGLE: \
        case OPT_S_NOTICKET: \

--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -71,6 +71,8 @@ B<openssl> B<s_client>
 [B<-fallback_scsv>]
 [B<-async>]
 [B<-bugs>]
+[B<-comp>]
+[B<-no_comp>]
 [B<-cipher cipherlist>]
 [B<-serverpref>]
 [B<-starttls protocol>]
@@ -326,6 +328,19 @@ is also used via the B<-engine> option. For test purposes the dummy async engine
 there are several known bug in SSL and TLS implementations. Adding this
 option enables various workarounds.

+=item B<-comp>
+
+Enables support for SSL/TLS compression.
+This option was introduced in OpenSSL 1.1.0.
+TLS compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+
+=item B<-no_comp>
+
+Disables support for SSL/TLS compression.
+TLS compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+
 =item B<-brief>

 only provide a brief summary of connection parameters instead of the

--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -77,6 +77,8 @@ B<openssl> B<s_server>
 [B<-no_tls1>]
 [B<-no_dhe>]
 [B<-bugs>]
+[B<-comp>]
+[B<-no_comp>]
 [B<-brief>]
 [B<-www>]
 [B<-WWW>]
@@ -313,6 +315,19 @@ is also used via the B<-engine> option. For test purposes the dummy async engine
 there are several known bug in SSL and TLS implementations. Adding this
 option enables various workarounds.

+=item B<-comp>
+
+Enable negotiation of TLS compression.
+This option was introduced in OpenSSL 1.1.0.
+TLS compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+
+=item B<-no_comp>
+
+Disable negotiation of TLS compression.
+TLS compression is not recommended and is off by default as of
+OpenSSL 1.1.0.
+
 =item B<-brief>

 only provide a brief summary of connection parameters instead of the

--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@@ -133,7 +133,16 @@ Various bug workarounds are set, same as setting B<SSL_OP_ALL>.

 =item B<-comp>

-Enables support for SSL/TLS compression, same as clearing B<SSL_OP_NO_COMPRESSION>.
+Enables support for SSL/TLS compression, same as clearing
+B<SSL_OP_NO_COMPRESSION>.
+This command was introduced in OpenSSL 1.1.0.
+As of OpenSSL 1.1.0, compression is off by default.
+
+=item B<-no_comp>
+
+Disables support for SSL/TLS compression, same as setting
+B<SSL_OP_NO_COMPRESSION>.
+As of OpenSSL 1.1.0, compression is off by default.

 =item B<-no_ticket>


--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -581,6 +581,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
    SSL_CONF_CMD_SWITCH("no_tls1_1", 0),
    SSL_CONF_CMD_SWITCH("no_tls1_2", 0),
    SSL_CONF_CMD_SWITCH("bugs", 0),
+    SSL_CONF_CMD_SWITCH("no_comp", 0),
    SSL_CONF_CMD_SWITCH("comp", 0),
    SSL_CONF_CMD_SWITCH("ecdh_single", SSL_CONF_FLAG_SERVER),
    SSL_CONF_CMD_SWITCH("no_ticket", 0),
@@ -640,7 +641,8 @@ static const ssl_switch_tbl ssl_cmd_switches[] = {
    {SSL_OP_NO_TLSv1_1, 0},     /* no_tls1_1 */
    {SSL_OP_NO_TLSv1_2, 0},     /* no_tls1_2 */
    {SSL_OP_ALL, 0},            /* bugs */
-    {SSL_OP_NO_COMPRESSION, 1}, /* comp */
+    {SSL_OP_NO_COMPRESSION, 0}, /* no_comp */
+    {SSL_OP_NO_COMPRESSION, SSL_TFLAG_INV}, /* comp */
    {SSL_OP_SINGLE_ECDH_USE, 0}, /* ecdh_single */
    {SSL_OP_NO_TICKET, 0},      /* no_ticket */
    {SSL_OP_CIPHER_SERVER_PREFERENCE, 0}, /* serverpref */

--- a/util/TLSProxy/Proxy.pm
+++ b/util/TLSProxy/Proxy.pm
@@ -183,7 +183,7 @@ sub start
            or die "Failed to redirect stdout: $!";
        open(STDERR, ">&STDOUT");
        my $execcmd = $self->execute
-            ." s_server -rev -engine ossltest -accept "
+            ." s_server -no_comp -rev -engine ossltest -accept "
            .($self->server_port)
            ." -cert ".$self->cert." -naccept ".$self->serverconnects;
        if ($self->ciphers ne "") {