Project

General

Profile

Actions

Feature #2445

closed

SSL Compression config option

Added by patrickdk over 12 years ago. Updated about 12 years ago.

Status:
Wontfix
Priority:
Normal
Category:
core
Target version:
-
ASK QUESTIONS IN Forums:

Description

Add option to allow disable/enable of ssl level compression.

Should be related to CVE-2012-4929


Files

ssl-compression.diff (4 KB) ssl-compression.diff patrickdk, 2012-09-17 01:36
Actions #1

Updated by stbuehler about 12 years ago

  • Status changed from New to Wontfix
  • Target version deleted (1.4.x)

Right now we disable compression if the option is available at compile time.

Is there a good reason why we would allow to use compression? As it breaks security the only remaining argument would be that ssl with compression is faster than using plain http without compression, and i seriously doubt that.

And I don't like including the hack to disable compression if openssl doesn't provide it as option. (If some distribution wants to include that part until they upgraded openssl, fine.. i just don't want to maintain it.)

Also defaulting to "s->ssl_use_compression = 1;" after CVE-2012-4929 is certainly wrong, i hope that wasn't intended :)

So all in all I think there is nothing to change right now.

Actions

Also available in: Atom