search

mozilla / server-side-tls

Server side TLS Tools
https://ssl-config.mozilla.org
Mozilla Public License 2.0
1.12k stars 158 forks source link

SSLCompression option for Apache < 2.2.24/2.4.3 #109

Closed teridon closed 8 years ago

teridon commented 8 years ago

Although one cannot put "SSLCompression off" in the config file, on current RHEL6-based versions of httpd2.2.15, you can put OPENSSL_NO_DEFAULT_ZLIB=1 in /etc/sysconfig/httpd. Reference http://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/

Could the generator add a comment regarding this?

teridon commented 8 years ago

Hmm, actually I just found https://bugzilla.redhat.com/show_bug.cgi?id=857051#c31 which seems to indicate that compression is off by default. I do not know how to verify this.

jvehent commented 8 years ago

We don't recommend to use compression, mostly because of previous vulnerabilities like CRIME.