httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Apache 2.2 - Change default for SSLCompression to off
Date Wed, 12 Jun 2013 19:55:08 GMT


Am 12.06.2013 21:49, schrieb William A. Rowe Jr.:
> On Wed, 12 Jun 2013 21:24:31 +0200
> Reindl Harald <h.reindl@thelounge.net> wrote:
>>
>> well, on Redhat systems in "/etc/sysconfig/httpd" put the line
>> "OPENSSL_NO_DEFAULT_ZLIB=1" did disable it before httpd
>> offered a option, but IHMO any server software should
>> come with as much as secure defaults if they do not hurt
> 
> Nothing special about httpd.  That is an OpenSSL flag (a patch
> still not adopted upstream AIUI) but it controls default behavior,
> not negotiated behavior.  I believe our patch disables compression
> altogether, which is a very different toggle, but I could be wrong

https://www.ssllabs.com/ssltest/

check it with "OPENSSL_NO_DEFAULT_ZLIB=1" and without
this is what auditors do - period

it is completly irrelevant to guess which browsers are updated
and hpe that most users are up-to-date, well *my* browsers are
up-to-date but this *does not* help if you are looking at the
big picture and if there is a option enabled which can be a security
problem with zero benefit it should be disabled


Mime
View raw message