Index: /trunk/server/common/patches/httpd-SSLCompression.patch
===================================================================
--- /trunk/server/common/patches/httpd-SSLCompression.patch	(revision 2321)
+++ /trunk/server/common/patches/httpd-SSLCompression.patch	(revision 2321)
@@ -0,0 +1,121 @@
+Description: mod_ssl: Add new directive SSLCompression to disable TLS-level compression.
+Origin: http://svn.apache.org/viewvc?view=revision&revision=1369585
+
+diff -Naur httpd-2.2.22/modules/ssl/mod_ssl.c httpd-2.2.22.patched/modules/ssl/mod_ssl.c
+--- httpd-2.2.22/modules/ssl/mod_ssl.c	2010-07-12 14:47:45.000000000 -0400
++++ httpd-2.2.22.patched/modules/ssl/mod_ssl.c	2012-09-12 17:10:57.417861707 -0400
+@@ -146,6 +146,9 @@
+                 "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+     SSL_CMD_SRV(HonorCipherOrder, FLAG,
+                 "Use the server's cipher ordering preference")
++    SSL_CMD_SRV(Compression, FLAG,
++                "Enable SSL level compression"
++                "(`on', `off')")
+     SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+                 "Enable support for insecure renegotiation")
+     SSL_CMD_ALL(UserName, TAKE1,
+diff -Naur httpd-2.2.22/modules/ssl/ssl_engine_config.c httpd-2.2.22.patched/modules/ssl/ssl_engine_config.c
+--- httpd-2.2.22/modules/ssl/ssl_engine_config.c	2011-04-14 09:56:17.000000000 -0400
++++ httpd-2.2.22.patched/modules/ssl/ssl_engine_config.c	2012-09-12 17:10:57.425862035 -0400
+@@ -178,6 +178,9 @@
+ #ifdef HAVE_FIPS
+     sc->fips                   = UNSET;
+ #endif
++#ifndef OPENSSL_NO_COMP
++    sc->compression            = UNSET;
++#endif
+ 
+     modssl_ctx_init_proxy(sc, p);
+ 
+@@ -275,6 +278,9 @@
+ #ifdef HAVE_FIPS
+     cfgMergeBool(fips);
+ #endif
++#ifndef OPENSSL_NO_COMP
++    cfgMergeBool(compression);
++#endif
+ 
+     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
+ 
+@@ -708,6 +714,23 @@
+ 
+ }
+ 
++const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag)
++{
++#if !defined(OPENSSL_NO_COMP)
++    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
++#ifndef SSL_OP_NO_COMPRESSION
++    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
++    if (err)
++        return "This version of openssl does not support configuring "
++               "compression within <VirtualHost> sections.";
++#endif
++    sc->compression = flag ? TRUE : FALSE;
++    return NULL;
++#else
++    return "Setting Compression mode unsupported; not implemented by the SSL library";
++#endif
++}
++
+ const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag)
+ {
+ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+diff -Naur httpd-2.2.22/modules/ssl/ssl_engine_init.c httpd-2.2.22.patched/modules/ssl/ssl_engine_init.c
+--- httpd-2.2.22/modules/ssl/ssl_engine_init.c	2011-04-14 09:56:17.000000000 -0400
++++ httpd-2.2.22.patched/modules/ssl/ssl_engine_init.c	2012-09-12 17:10:57.419861789 -0400
+@@ -503,6 +503,18 @@
+     }
+ #endif
+ 
++
++#ifndef OPENSSL_NO_COMP
++    if (sc->compression == FALSE) {
++#ifdef SSL_OP_NO_COMPRESSION
++        /* OpenSSL >= 1.0 only */
++        SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION);
++#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
++        sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
++#endif
++    }
++#endif
++
+ #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+     if (sc->insecure_reneg == TRUE) {
+         SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+diff -Naur httpd-2.2.22/modules/ssl/ssl_private.h httpd-2.2.22.patched/modules/ssl/ssl_private.h
+--- httpd-2.2.22/modules/ssl/ssl_private.h	2011-04-14 09:56:17.000000000 -0400
++++ httpd-2.2.22.patched/modules/ssl/ssl_private.h	2012-09-12 18:11:48.762900287 -0400
+@@ -486,6 +486,9 @@
+ #ifdef HAVE_FIPS
+     BOOL             fips;
+ #endif
++#ifndef OPENSSL_NO_COMP
++    BOOL             compression;
++#endif
+ };
+ 
+ /**
+@@ -542,6 +545,7 @@
+ const char  *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
++const char  *ssl_cmd_SSLCompression(cmd_parms *, void *, int flag);
+ const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
+diff -Naur httpd-2.2.22/modules/ssl/ssl_toolkit_compat.h httpd-2.2.22.patched/modules/ssl/ssl_toolkit_compat.h
+--- httpd-2.2.22/modules/ssl/ssl_toolkit_compat.h	2010-07-12 14:47:45.000000000 -0400
++++ httpd-2.2.22.patched/modules/ssl/ssl_toolkit_compat.h	2012-09-12 18:12:09.982772267 -0400
+@@ -276,6 +276,11 @@
+ #endif
+ #endif
+ 
++#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
++    && OPENSSL_VERSION_NUMBER < 0x00908000L
++#define OPENSSL_NO_COMP
++#endif
++
+ #endif /* SSL_TOOLKIT_COMPAT_H */
+ 
+ /** @} */
Index: /trunk/server/fedora/config/etc/httpd/conf/httpd.conf
===================================================================
--- /trunk/server/fedora/config/etc/httpd/conf/httpd.conf	(revision 2320)
+++ /trunk/server/fedora/config/etc/httpd/conf/httpd.conf	(revision 2321)
@@ -319,4 +319,7 @@
     SSLInsecureRenegotiation on
 
+    # Temporary fix for presumed CRIME attack against SSL
+    SSLCompression off
+
     SSLPassPhraseDialog  builtin
     SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
Index: /trunk/server/fedora/specs/httpd.spec.patch
===================================================================
--- /trunk/server/fedora/specs/httpd.spec.patch	(revision 2320)
+++ /trunk/server/fedora/specs/httpd.spec.patch	(revision 2321)
@@ -10,5 +10,5 @@
  Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
  Source1: index.html
-@@ -58,6 +58,14 @@
+@@ -58,6 +58,15 @@
  Requires(postun): systemd-units
  Requires(post): systemd-units
@@ -21,9 +21,10 @@
 +Patch1006: httpd-suexec-cloexec.patch
 +Patch1007: httpd-fixup-vhost.patch
++Patch1008: httpd-SSLCompression.patch
 +
  %description
  The Apache HTTP Server is a powerful, efficient, and extensible
  web server.
-@@ -68,6 +77,7 @@
+@@ -68,6 +78,7 @@
  Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel
  Requires: apr-devel, apr-util-devel, pkgconfig
@@ -33,5 +34,5 @@
  %description devel
  The httpd-devel package contains the APXS binary and other files
-@@ -106,6 +116,7 @@
+@@ -106,6 +117,7 @@
  Requires(post): openssl, /bin/cat
  Requires(pre): httpd
@@ -41,5 +42,5 @@
  
  %description -n mod_ssl
-@@ -133,6 +149,13 @@
+@@ -133,6 +150,14 @@
  # Patch in vendor/release string
  sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
@@ -51,9 +52,10 @@
 +%patch1006 -p1 -b .cloexec
 +%patch1007 -p1 -b .fixup-vhost
++%patch1008 -p1 -b .sslcompression
 +
  # Safety check: prevent build if defined MMN does not equal upstream MMN.
  vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'`
  if test "x${vmmn}" != "x%{mmn}"; then
-@@ -193,10 +217,12 @@
+@@ -193,10 +219,12 @@
          --with-apr=%{_prefix} --with-apr-util=%{_prefix} \
  	--enable-suexec --with-suexec \