On Aug 18, 2013, at 21:09 , itpp2012 wrote: > Igor Sysoev Wrote: > ------------------------------------------------------- >> Yes, modern nginx versions do not use SSL compression. > [...] >> You have to split the dual mode server section into two server server >> sections and set "gzip off" >> SSL-enabled on. There is no way to disable gzip in dual mode server >> section, but if you really >> worry about security in general the server sections should be >> different. > > If modern versions do not use ssl compression why split a dual mode server? > If gzip is on in the http section, what happens then to the ssl section of a > dual mode server?
These are different vulnerabilities: SSL compression is subject to CRIME vulnerability while HTTP/SSL compression is subject to BREACH vulnerability. -- Igor Sysoev http://nginx.com/services.html _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
