SSL Compression config option
Add option to allow disable/enable of ssl level compression.
Should be related to CVE-2012-4929
Updated by stbuehler about 7 years ago
- Status changed from New to Wontfix
- Target version deleted (
Right now we disable compression if the option is available at compile time.
Is there a good reason why we would allow to use compression? As it breaks security the only remaining argument would be that ssl with compression is faster than using plain http without compression, and i seriously doubt that.
And I don't like including the hack to disable compression if openssl doesn't provide it as option. (If some distribution wants to include that part until they upgraded openssl, fine.. i just don't want to maintain it.)
Also defaulting to "s->ssl_use_compression = 1;" after CVE-2012-4929 is certainly wrong, i hope that wasn't intended :)
So all in all I think there is nothing to change right now.
Also available in: Atom