Re: FYI brotli

2017-02-18 Thread Jim Jagielski
Just a FYI that it looks like a 0.6.x version of the lib will be released v. soon with all that is needed for the module to work and compile as-is... 1.0.0 will be released a little bit later which will simply deprecate/remove the OLD API, which we don't use anyway... That is, the lib change from

Re: FYI brotli

2017-02-16 Thread William A Rowe Jr
Funny you mention it. Nginx had it first anyways, and was (perhaps still is) using the deprecated API that dies with libbrotli rev 1.0.0 - part of that delay might have been affording ngnix a chance to adapt. Versioning their installed library should allow both to be installed at once. So...

Re: FYI brotli

2017-02-16 Thread William A Rowe Jr
On Mon, Jan 16, 2017 at 2:28 PM, Evgeny Kotkov wrote: > > There is, however, a potential problem with backporting mod_brotli, since > it relies on the Brotli library 1.0.0, which has not yet been released. > In other words, if the upstream changes the API or the

Re: FYI brotli

2017-02-16 Thread William A Rowe Jr
On Thu, Feb 16, 2017 at 2:27 PM, Evgeny Kotkov wrote: > William A Rowe Jr writes: > >> My open questions; has this been entirely reviewed in conjunction with h2? >> Will A-E: br,gzip,deflate axe all others from that list when deciding to >>

Re: FYI brotli

2017-02-16 Thread Evgeny Kotkov
William A Rowe Jr writes: > My open questions; has this been entirely reviewed in conjunction with h2? > Will A-E: br,gzip,deflate axe all others from that list when deciding to > enable brotli? (I presume not-yet.) Will gzip filter work where A-E: gzip was > given without

Re: FYI brotli

2017-02-16 Thread Jim Jagielski
Whatever... nginx will have it 1st anyway. And once again we fail our users by having a nickel holding up a dollar. > On Feb 16, 2017, at 2:48 PM, William A Rowe Jr wrote: > > On Thu, Feb 16, 2017 at 12:47 PM, Jim Jagielski wrote: >> >>> On Feb 16, 2017,

Re: FYI brotli

2017-02-16 Thread William A Rowe Jr
On Thu, Feb 16, 2017 at 12:47 PM, Jim Jagielski wrote: > >> On Feb 16, 2017, at 1:15 PM, William A Rowe Jr wrote: >> >> >> I concur with Evgeny Kotkov that an ABI stable dependency is appropriate >> before adding this to httpd 2.4.x - so far as I've read

Re: FYI brotli

2017-02-16 Thread Jim Jagielski
> On Feb 16, 2017, at 1:15 PM, William A Rowe Jr wrote: > > > I concur with Evgeny Kotkov that an ABI stable dependency is appropriate > before adding this to httpd 2.4.x - so far as I've read none have suggested > this as an experimental addition to 2.4. > I do. We

Re: FYI brotli

2017-02-16 Thread William A Rowe Jr
To close up some loose ends/confusion; On Mon, Jan 16, 2017 at 6:42 PM, Jacob Champion wrote: > On 01/16/2017 04:06 PM, William A Rowe Jr wrote: >> >> Before we push this at users.. is there a concern that brotoli >> compression has similar dictionary or simply size based

Re: FYI brotli

2017-01-17 Thread Jim Jagielski
Besides, we had no problems supporting OpenSSL 0.9.6 for years :) If/when brotli 1.0.0 is released, we simply add support for that as well. No biggie. > On Jan 17, 2017, at 8:27 AM, Jim Jagielski wrote: > > Actually, it works fine w/ Brotli 0.5.2 which is > what I have

Re: FYI brotli

2017-01-17 Thread Jim Jagielski
Actually, it works fine w/ Brotli 0.5.2 which is what I have installed. > On Jan 16, 2017, at 3:28 PM, Evgeny Kotkov > wrote: > > Jim Jagielski writes: > >> Functional patch avail... working on doccos. >> >>

Re: FYI brotli

2017-01-17 Thread Hanno Böck
On Mon, 16 Jan 2017 18:06:40 -0600 William A Rowe Jr wrote: > If so, maybe we teach both to step out of the way when SSL encryption > filters are in place? This would make no sense. Brotli is only supported over HTTPS by browsers. Compression-based attacks are a tricky

Re: FYI brotli

2017-01-16 Thread Jacob Champion
On 01/16/2017 04:42 PM, Jacob Champion wrote: Current guidance to avoid BREACH is still, AFAIK, to avoid situations where third-party data is being sent in the same response as first-party secrets. I don't think we have a way to know when this is happening ...though if the current response is

Re: FYI brotli

2017-01-16 Thread Jacob Champion
On 01/16/2017 04:06 PM, William A Rowe Jr wrote: Before we push this at users.. is there a concern that brotoli compression has similar dictionary or simply size based vulnerabilities as deflate? If you mean HTTP compression oracles (BREACH et al), then I would expect *any* compression

Re: FYI brotli

2017-01-16 Thread William A Rowe Jr
Before we push this at users.. is there a concern that brotoli compression has similar dictionary or simply size based vulnerabilities as deflate? If so, maybe we teach both to step out of the way when SSL encryption filters are in place? On Jan 16, 2017 10:14, "Jim Jagielski"

Re: FYI brotli

2017-01-16 Thread Evgeny Kotkov
Jim Jagielski writes: > Functional patch avail... working on doccos. > > http://home.apache.org/~jim/patches/brotli-2.4.patch Hi Jim, Thank you for the backport patch. There is, however, a potential problem with backporting mod_brotli, since it relies on the Brotli

Re: FYI brotli

2017-01-16 Thread Jim Jagielski
Functional patch avail... working on doccos. http://home.apache.org/~jim/patches/brotli-2.4.patch > On Jan 16, 2017, at 11:11 AM, Jim Jagielski wrote: > > Just a head's up that I am working on the backport proposal/patch > for brotli for 2.4.x...

FYI brotli

2017-01-16 Thread Jim Jagielski
Just a head's up that I am working on the backport proposal/patch for brotli for 2.4.x...