All, https://issues.apache.org/bugzilla/show_bug.cgi?id=54324
The enhancement request (marked MAJOR) is to allow the APR connector to configure SSL_OP_NO_COMPRESSION in OpenSSL, disabling SSL compression even when it is supported by the client. This prevents CRIME attacks. My question is whether we want to disable compression by default or leave compression enabled when supported (which is the current default). Since this is security-related, my preference is to disable SSL compression /by default/ and allow users to specifically enable it if necessary. But, this represents a change in default so I figured I'd ask. Any comments? Thanks, -chris
signature.asc
Description: OpenPGP digital signature
