resincaucho

How can you disable SSL compression on Resin?


I'm trying to disable SSL compression on my Resin 4.0.35 pro server because of the CRIME vulnerability https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx but I'm just not sure how to do it, I don't see any options on the xml configuration which would turn that off.

I am using OpenSSL with Resin.

Thanks.


Solution

  • Try setting compression attribute inside openssl tag.

      <openssl>
        <certificate-file>...</certificate-file>
        <certificate-key-file>...</certificate-key-file>
        <password>...</password>
        <compression>false</compression>
      </openssl>
    

    Acceptable values are 'true' & 'false'

    'compression' attribute was introduced in 4.0.37. (see http://bugs.caucho.com/view.php?id=5435)