[openssl-users] removing compression?

Jeffrey Walton noloader at gmail.com
Sat Apr 4 19:39:13 UTC 2015

On Fri, Apr 3, 2015 at 3:53 PM, Salz, Rich <rsalz at akamai.com> wrote:
> I am thinking about removing compression and would like to know what the
> community thinks.
What the community thinks does not matter.

If your threat model includes recovery via compression through
protocols like TLS, HTTPS and SPDY, then you have to disable it. Or if
you have a "defensive" security posture, then you should disable it.

You can disable it in TLS by configuring OpenSSL with no-comp:

    ./configure no-ssl2 no-ssl3 no-com --prefix=/usr/local

For what its worth, I've been disabling compression since the attacks
surfaced. I've never had a problem.


More information about the openssl-users mailing list