tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject SSL compression / bug 54324
Date Fri, 21 Dec 2012 15:37:12 GMT
All,

https://issues.apache.org/bugzilla/show_bug.cgi?id=54324

The enhancement request (marked MAJOR) is to allow the APR connector to
configure SSL_OP_NO_COMPRESSION in OpenSSL, disabling SSL compression
even when it is supported by the client. This prevents CRIME attacks.

My question is whether we want to disable compression by default or
leave compression enabled when supported (which is the current default).

Since this is security-related, my preference is to disable SSL
compression /by default/ and allow users to specifically enable it if
necessary. But, this represents a change in default so I figured I'd ask.

Any comments?

Thanks,
-chris


Mime
View raw message