2012/12/22 Rainer Jung <rainer.j...@kippdata.de>: > On 21.12.2012 16:37, Christopher Schultz wrote: >> All, >> >> https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 >> >> The enhancement request (marked MAJOR) is to allow the APR connector to >> configure SSL_OP_NO_COMPRESSION in OpenSSL, disabling SSL compression >> even when it is supported by the client. This prevents CRIME attacks. >> >> My question is whether we want to disable compression by default or >> leave compression enabled when supported (which is the current default). >> >> Since this is security-related, my preference is to disable SSL >> compression /by default/ and allow users to specifically enable it if >> necessary. But, this represents a change in default so I figured I'd ask. >> >> Any comments? > > The web server in the current branch had SSL compression set to on by > default until the latest release (2.4.3), if OpenSSL supported it. The > next release 2.4.4 will have it disabled by default for the same > reasons. Considering the current state of affairs I'm comfortable > switching the defaults here. >
Reviewing the commit for this issue, http://svn.apache.org/viewvc?view=revision&revision=1434887 First, my preference here would be to disable compression by default, for security reasons. Second, with the current implementation there is no way to enable compression if the default in OpenSSL for it is "disabled". It is actually due to a lack of API in Tomcat-Native. In OpenSSL there are methods to set and to clear a flag [1]: (1) SSL_CTX_set_options(...) (2) SSL_CTX_clear_options(..) [1] http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html In Tomcat-Native only the "set" method is exposed by SSLContext, but there is no API for the "clear" method. To disable compression we call SSLContext.setOptions(sslContext, SSL.SSL_OP_NO_COMPRESSION); Well, this matters only if OpenSSL uses "no compression" as the default. I see that it was considered in October 2012 [2], but I do not know what the current state is -- there were no releases since May 2012 and no such change is mentioned in the current changelog [3]. [2] Thread "OpenSSL and CRIME" at openssl-dev from October 2012, http://openssl.6102.n7.nabble.com/OpenSSL-and-CRIME-td36961.html [3] http://openssl.org/news/changelog.html Third, Christopher's question on the current state of JSSE support is still unanswered http://tomcat.markmail.org/thread/qzd7czphbpz3ox2c Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
