I'm trying to disable SSL compression on my Resin 4.0.35 pro server because of the CRIME vulnerability https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx but I'm just not sure how to do it, I don't see any options on the xml configuration which would turn that off.
I am using OpenSSL with Resin.
Thanks.
Try setting compression attribute inside openssl tag.
<openssl>
<certificate-file>...</certificate-file>
<certificate-key-file>...</certificate-key-file>
<password>...</password>
<compression>false</compression>
</openssl>
Acceptable values are 'true' & 'false'
'compression' attribute was introduced in 4.0.37. (see http://bugs.caucho.com/view.php?id=5435)