Closed teridon closed 8 years ago
Hmm, actually I just found https://bugzilla.redhat.com/show_bug.cgi?id=857051#c31 which seems to indicate that compression is off by default. I do not know how to verify this.
We don't recommend to use compression, mostly because of previous vulnerabilities like CRIME.
Although one cannot put "SSLCompression off" in the config file, on current RHEL6-based versions of httpd2.2.15, you can put OPENSSL_NO_DEFAULT_ZLIB=1 in /etc/sysconfig/httpd. Reference http://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
Could the generator add a comment regarding this?