-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 8/8/13 12:45 PM, Mark Thomas wrote: > On 08/08/2013 18:14, David Landis wrote: >> Hi, >> >> I was wondering if someone could clarify the difference between >> the configuration parameters mentioned in the subject of this >> email or point me to some documentation that explains it? >> >> Do they both refer to the same type of compression? > > No. > >> Based on the Tomcat docs I know the former controls whether or >> not the connector uses gzip compression. Regarding the latter, >> the Tomcat docs say: "Disables compression if set to true and >> OpenSSL supports disabling compression.". Is that referring to a >> different type of compression? > > Yes. > > The Tomcat connector implements compression. > > The SSL/TLS protocol has a separate compression implementation. ... and the SSLDisableCompression setting (when set to "false") is intended to mitigate the CRIME attack against SSL/TLS compression. Feel free to read online all about the CRIME attack. > I'd guess (no testing to back this up) that you'd be better off > with using the connector compression as you can tailor that to the > correct mime-types. I tend to agree. You can also disable compression on files that are small enough that compression doesn't really buy you anything. > I'd also guess that if you have one, enabling the other doesn't buy > you much. +1 I haven't really done any analysis of SSL compression (that is, compression as implemented by the TLS/SSL layer) alone versus compression-less-SSL + gzip, but I suspect that any combination of compression and encryption can lead to CRIME-like attacks ... which by the way requires the attacker to basically have remote-control access to the user's client (to force it to make requests to the server) and also be able to sniff the encrypted packets at the same time (which is of course quite a bit easier to do than client-control). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSBAtXAAoJEBzwKT+lPKRYk3UP/jEcRvBxDLvdDT+4YGWVStmY IQ/cjla4La2betDx6pNTXokYD9en8yFJ7hqPk0c/CyCXgzw7mH6FGjAsjKkHhGFg m9XEkclWJ+T+uaGO9S/0wcsZ8iSs3luRhSF3qqsGnyuk2HlSSTw5nkpm22Wv1Rit jb9iLqAzU2K9aKuZJson/xiva/0iOQuJknu9zD3MzvMxfSPB8bpUwkq/T77jFkU+ COZ+pfLYU9NbyURKNW2EREfbRYYTKQQ7WEHwVVPPrSxRlBM0lnnRaqxKoFHVR1rK P0wRPqr4bAFAbTtQ+ylZUsInUcStAyuHkEwFzHRpWkfcEuu+uQKzDimukY7PG4d0 llblQ67KYLad+VahA6JIMZV1evuAgL9PsMaCNvOFZloxwz+1Sxnf2olk6RR6w8Ge q/Y7K9MtTiSAkA+i0DH9Wr43RpjfR2d8LjP4IZXAaiAAEO3AXfHXX/KOJJ/px9k8 mo0eBsPxr1WRYbECxuozKf9kYjQEaw15nGtWCnTWZ4O5oPepppu2hd8GERqUIAln 9HR6NozOnPvrEGEhvjy1GG/pMfUZGKf9a/foZbjl2/ZrlQGaj+EXkDceX6DWXXrC meQT4RmyX4SqHvYaiy2Hu8E/i9/JZM3xdccjWafO4oz6Z7olISVHM3l9PCUrjq6q QHrVkwxu3OJeBBteSyNe =uc9W -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org