tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: SSL compression / bug 54324
Date Fri, 21 Dec 2012 15:46:04 GMT
All,

On 12/21/12 10:37 AM, Christopher Schultz wrote:
> Since this is security-related, my preference is to disable SSL
> compression /by default/ and allow users to specifically enable it if
> necessary. But, this represents a change in default so I figured I'd ask.

One more note which reverses my original position: if compression is
explicitly requested to be disabled and it can /not/ be disabled, I
think we should fail-safe and throw an exception -- thereby failing to
start the connector.

There is a similar security-related option, SSLInsecureRenegotiation,
that does *not* fail-safe: if you request disabling insecure
renegotiation and that option is not supported by OpenSSL, you get a
warning message in the log but the connector starts up nonetheless.

-chris


Mime
View raw message