You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2013/01/16 00:17:52 UTC
Disable TLS compression in JSSE
All,
I'm working on a fix for
https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 which is
requesting the ability to disable TLS compression in the APR connector.
If possible, I'd like to write a patch that will work for both kinds of
connectors: those based upon JSSE And those based upon APR.
I haven't found much luck searching the web for how to disable TLS
compression using JSSE.
Can anyone suggest some resources?
Thanks,
-chris
Re: Disable TLS compression in JSSE
Posted by Ognjen Blagojevic <og...@gmail.com>.
On 23.1.2013 2:13, Tim Whittington wrote:
> As far as I know, JSSE doesn't support compression.
> [1] claims this, but doesn't have a reference, and I can't find
> anything else useful on the internet, although i recall an analysis of
> the CRIME attack that claimed the same thing.
I tested couple of my Tomcat installations, each of them uses JSSE, with
this tool:
https://www.ssllabs.com/ssltest/analyze.html
I came to the same conclusion, JSSE probably doesn't support compression
at all (or, at least, out-of-the-box).
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Disable TLS compression in JSSE
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Tim,
On 1/22/13 8:13 PM, Tim Whittington wrote:
> As far as I know, JSSE doesn't support compression.
> [1] claims this, but doesn't have a reference, and I can't find
> anything else useful on the internet, although i recall an analysis of
> the CRIME attack that claimed the same thing.
Thanks -- makes sense that I couldn't find any documentation on
disabling it, then ;)
> At this point I'd probably opt for an OpenJDK code dive.
Hooray! (fyi I'm not wearing my "hooray" face when I say that).
-chris
Re: Disable TLS compression in JSSE
Posted by Tim Whittington <ti...@apache.org>.
As far as I know, JSSE doesn't support compression.
[1] claims this, but doesn't have a reference, and I can't find
anything else useful on the internet, although i recall an analysis of
the CRIME attack that claimed the same thing.
At this point I'd probably opt for an OpenJDK code dive.
tim
[1]: http://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
On Wed, Jan 16, 2013 at 12:17 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> All,
>
> I'm working on a fix for
> https://issues.apache.org/bugzilla/show_bug.cgi?id=54324 which is
> requesting the ability to disable TLS compression in the APR connector.
>
> If possible, I'd like to write a patch that will work for both kinds of
> connectors: those based upon JSSE And those based upon APR.
>
> I haven't found much luck searching the web for how to disable TLS
> compression using JSSE.
>
> Can anyone suggest some resources?
>
> Thanks,
> -chris
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org