[openssl-dev] removing compression?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Apr 3 20:14:35 UTC 2015
On Fri 2015-04-03 15:53:59 -0400, Salz, Rich wrote:
> I am thinking about removing compression and would like to know what
> the community thinks.
>
> At a minimum, I am going to remove the ability to add compression at
> run-time. This was never really documented. Moving forward, if
> someone wants to add a new compression scheme they will need to modify
> the OpenSSL source. This means COMP_METHOD becomes an internal
> datatype.
>
> But on a larger scale, does anyone use TLS compression? It has
> certainly caused problems with HTTP (see
> http://en.wikipedia.org/wiki/CRIME). And the best practice these days
> is to do it at the application layer, and feed the compressed bytes
> down to TLS.
I think this change is a good idea, Rich. Thanks for proposing it.
--dkg
More information about the openssl-dev
mailing list