On 21.12.2012 16:37, Christopher Schultz wrote: > All, > > https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 > > The enhancement request (marked MAJOR) is to allow the APR connector to > configure SSL_OP_NO_COMPRESSION in OpenSSL, disabling SSL compression > even when it is supported by the client. This prevents CRIME attacks. > > My question is whether we want to disable compression by default or > leave compression enabled when supported (which is the current default). > > Since this is security-related, my preference is to disable SSL > compression /by default/ and allow users to specifically enable it if > necessary. But, this represents a change in default so I figured I'd ask. > > Any comments?
The web server in the current branch had SSL compression set to on by default until the latest release (2.4.3), if OpenSSL supported it. The next release 2.4.4 will have it disabled by default for the same reasons. Considering the current state of affairs I'm comfortable switching the defaults here. Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
