tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat 8.5 HTTP/2 connector not supporting GZIP compression
Date Mon, 06 Feb 2017 14:42:12 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Konstantin,

On 2/4/17 2:43 PM, Konstantin Kolinko wrote:
> 2017-02-04 18:55 GMT+03:00 Patrizio Munzi
> <patrizio.munzi@gmail.com>:
>> It looks like tomcat 8.5 HTTP/2 protocol does not support GZIP
>> compression. Can anyone confirm or give advise on how to enable
>> it?
>> 
>> The following does not work:
>> 
>> <Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
>> port="8443" connectionTimeout="20000" executor="main"
>> SSLEnabled="true" scheme="https" secure="true"
>> URIEncoding="UTF-8" maxHttpHeaderSize="10240" compression="force"
>> SSLCertificateKeyFile="${tomcat.conf.dir}/key.pem"
>> SSLCertificateFile="${tomcat.conf.dir}/cert.pem"
>> SSLPassword="changeit"> <UpgradeProtocol
>> className="org.apache.coyote.http2.Http2Protocol" />
>> </Connector>
> 
> When you ask about compression of dynamic content, I think that
> you should read about the following well-known issues first,
> especially the latter one:
> 
> https://en.wikipedia.org/wiki/CRIME_(security_exploit) 
> https://en.wikipedia.org/wiki/BREACH_(security_exploit)

It's BREACH that's worse. CRIME seems to be focused on using
known-plaintext to pick-away at the TLS encryption wrapper. While also
a known-plaintext attack, BREACH uses HTTP compression (where the
headers are not compressed before being encrypted for transfer) and
the compressed content is buried more deeply and is thus (slightly)
more difficult to pull off an attack.

There are also some mitigations, the first of which is to ensure that
your application doesn't have any XSS vulnerabilities (which is
usually a big job). The second is to play games with enabling
compression only under certain circumstances, but I suspect those
circumstances are quite difficult to truly get right, and their
validity will diminish over time.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYmItEAAoJEBzwKT+lPKRYwq4P/jl57G3sUQDPNE3z3/61mf+r
WCdh8+nUmDxfdjuBrV9eJj/7rvM7wElOudT+XvtQ2oNRSO2aPUVkcLuqkDHwg5H5
XCxVqCoj+kLZFxv12WtCWaDpMc54sXDsLF0Mg0jVbnQmuFjA+G0/YCfC7Il4n4nc
VoYG69t9rkduDksDc/KDid9qb2WT/fxYXP3XmuVwIjT52QRpaqO+e9UqZBx/nPnR
zWqr1IcNJYwMZXI/5LHK9WeItlDGhVK47ziXDQ4JNAk2WistMn6k8kZEVogS63VI
8DxrAN3Ob1u5Z3/1ttEUqH8KdAFvHWNn/2S2zB2hKOfhj0PURd1sxZDjORAwVtXR
LjdKsaD/LYQ6Oej58bG+33GT6uGcq6iPXZzOqX186N5kR+D4GK515TKO98GA49Me
QClN7YU6iys+Ymf4xSva8/gNdIRYGSuK5hwhqACThGiKB0kc0pgNfeZq7N/OO5Eh
jsEIkkjy3kAEhFvBikwwUiMgMCEbbsPxmpnEnkBrID6Or94TInKHeZkHEny/ILQu
2TnMiChNnR2W0sJlPOokEyIwKepxNO5Ue4Wt9lqqoDGvKTqK3K+aZSZJqyPYATEv
Tfibkf27qTVT2vvy29B/BUyFomSIk4WfNA/fZrzyw3zatrLddla+5n3yhxK990QL
xIJtAtI8pbeeKwCJEKTU
=gP7O
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message