-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Raul,
On 7/28/16 2:25 PM, Martinez Maestre, Raul (CIT-IOEP) wrote: > Hi, > > > > I have configured APR with the following versions for components > > -APR version 1.5.2 > > - Open SSL version openssl-1.0.2h > > - Apache Tomcat Native library 1.2.7 > > > > The HTTPS connector on server.xml is the shown below. All works > properly ex= cept compression, no way to have contents compressed > in client side. Someon= e knows what could be missing? How are you determining that compression is not being used? I'm confused. You seem to be enabling compression at a number of places: > compression=3D"on" This should enable gzip compression of the message bodies. > compressionMinSize="2048" > compressableMimeType="text/html,text/xml,text/plain,text/css,te= > xt/javascript,text/json,application/x-javascript,application/javascrip t,app= > > lication/json" This further configures HTTP-compression. > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol=" > /> h2 enables compression by default. > <SSLHostConfig disableCompression="false"> I think OpenSSL disabled compression by default to mitigate the CRIME attack. Their changelog[1] indicates that happened between 1.0.1h and 1.1.0, and I can't seem to find a similar change that directly affects your version. Try re-building OpenSSL with zlib support included (use either the "zlib" or "zlib-dynamic" build options). You may also be at the mercy of your OS's OpenSSL package maintainers. If you don't have zlib built-in, then you can't use compression even if you want to. If you DO have zlib built-in, you can configure the library to allow compression, but there is no direct-support for enabling this option from Tomcat. Given the CRIME vulnerability, I don't think you want to enable compression for TLS. Also, the default value for "useSendfile" is "true", and when sendfile is in use, HTTP compression is disabled. So, which compression were you trying to enable? TLS compression is a bad idea, so you should try setting useSendfile="false" and trying again . Hope that helps, - -chris [1] https://www.openssl.org/news/changelog.html (search for CRIME) -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAled8WsACgkQ9CaO5/Lv0PCadACdHhS5/k3gqVis5VeX6nha5W+Y lhoAoKYIjAC0lVOLCfJ47/HM9toFixXk =9GCe -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org