Project

General

Profile

Feature #2445

SSL Compression config option

Added by patrickdk about 7 years ago. Updated almost 7 years ago.

Status:
Wontfix
Priority:
Normal
Assignee:
-
Category:
core
Target version:
-
Start date:
2012-09-17
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:
No

Description

Add option to allow disable/enable of ssl level compression.

Should be related to CVE-2012-4929

ssl-compression.diff (4 KB) ssl-compression.diff patrickdk, 2012-09-17 01:36

History

#1

Updated by stbuehler almost 7 years ago

  • Status changed from New to Wontfix
  • Target version deleted (1.4.x)

Right now we disable compression if the option is available at compile time.

Is there a good reason why we would allow to use compression? As it breaks security the only remaining argument would be that ssl with compression is faster than using plain http without compression, and i seriously doubt that.

And I don't like including the hack to disable compression if openssl doesn't provide it as option. (If some distribution wants to include that part until they upgraded openssl, fine.. i just don't want to maintain it.)

Also defaulting to "s->ssl_use_compression = 1;" after CVE-2012-4929 is certainly wrong, i hope that wasn't intended :)

So all in all I think there is nothing to change right now.

Also available in: Atom