How can you disable SSL compression on Resin?

Question

I'm trying to disable SSL compression on my Resin 4.0.35 pro server because of the CRIME vulnerability https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx but I'm just not sure how to do it, I don't see any options on the xml configuration which would turn that off.

I am using OpenSSL with Resin.

Thanks.

Incarnate1970th · Accepted Answer · 2014-05-06T01:00:35.717

0

Try setting compression attribute inside openssl tag.

  <openssl>
    <certificate-file>...</certificate-file>
    <certificate-key-file>...</certificate-key-file>
    <password>...</password>
    <compression>false</compression>
  </openssl>

Acceptable values are 'true' & 'false'

'compression' attribute was introduced in 4.0.37. (see http://bugs.caucho.com/view.php?id=5435)

edited May 06 '14 at 01:00

answered May 02 '14 at 21:14

Incarnate1970th

202
2
7

Adding that flag did not work: ` is an unexpected tag (parent starts at).` I am on resin 4.0.35 – casolorz May 05 '14 at 20:46
Please upgrade to 4.0.39 or better. – Incarnate1970th May 06 '14 at 01:01
Thanks, just started testing the update and it is all working well. It also needs the openssl version which supports turning that compression off. – casolorz May 06 '14 at 17:03

How can you disable SSL compression on Resin?

1 Answers1