httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Apache 2.2 - Change default for SSLCompression to off
Date Wed, 12 Jun 2013 20:07:23 GMT
On Wed, 12 Jun 2013 15:57:22 -0400
Eric Covener <covener@gmail.com> wrote:

> On Wed, Jun 12, 2013 at 3:49 PM, William A. Rowe Jr.
> <wrowe@rowe-clan.net> wrote:
> > On Wed, 12 Jun 2013 21:24:31 +0200
> > Reindl Harald <h.reindl@thelounge.net> wrote:
> >>
> >> well, on Redhat systems in "/etc/sysconfig/httpd" put the line
> >> "OPENSSL_NO_DEFAULT_ZLIB=1" did disable it before httpd
> >> offered a option, but IHMO any server software should
> >> come with as much as secure defaults if they do not hurt
> >
> > Nothing special about httpd.  That is an OpenSSL flag (a patch
> > still not adopted upstream AIUI) but it controls default behavior,
> > not negotiated behavior.
> 
> Comment 5 seems to say it controls what the server is willing to
> negotiate. What contrast were you drawing above?
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=857051

It varies what the server elects based on the client's requested
compression state.

Comment 15 reiterates that these are two different switches.  The
RH patch avoids compelling the client to use compression, the httpd
patch prevents the use of compression.  Toggling the absolute behavior
in httpd rather than the preferred default behavior was probably not
appropriate for the stable branch, but what's done is done, and I won't
vote against backporting the 2.4 change to 2.2 (although I'm -0 on the
merits).


Mime
View raw message