All, On 12/21/12 10:37 AM, Christopher Schultz wrote: > Since this is security-related, my preference is to disable SSL > compression /by default/ and allow users to specifically enable it if > necessary. But, this represents a change in default so I figured I'd ask.
One more note which reverses my original position: if compression is explicitly requested to be disabled and it can /not/ be disabled, I think we should fail-safe and throw an exception -- thereby failing to start the connector. There is a similar security-related option, SSLInsecureRenegotiation, that does *not* fail-safe: if you request disabling insecure renegotiation and that option is not supported by OpenSSL, you get a warning message in the log but the connector starts up nonetheless. -chris
signature.asc
Description: OpenPGP digital signature
