On 15/10/2013 2:19 p.m., PSA4444 wrote:
I am trying to disable TLS compression in squid 3.2 running in reverse proxy
mode.
It's running on Ubuntu 12.04.
root@ip-10-0-0-xx:~# openssl s_client -connect localhost:443
...
Compression: zlib compression
Expansion: zlib compression
Compression: 1 (zlib compression)
As opposed to:
Compression: NONE
Expansion: NONE
#This is my https port setup:
https_port 443 accel cert=/path/to/cert.cert key=/path/to/key.pem vhost
defaultsite=www.mysite.com
cipher=ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2
#And I have tried the no_comp ssl flag. (We need the DONT_VERIFY_PEER for
now):
sslproxy_flags DONT_VERIFY_PEER no_comp
The flags has case-sensitive naming:
No_Compression
Has the situation changed since this:
http://www.squid-cache.org/mail-archive/squid-users/201210/0166.html
?
Yes things have changed since then. Sebastien identified the OpenSSL
flag to disable TLS compression and it has been supported since 3.2.7
release.
Has anyone else managed to disable tls compression in Ubuntu 12.04?
Check your Squid version number (squid -v) and OpenSSL library version
capabilities. The flag is only confirmed working in OpenSSL versions
released after CRIME/BEAST attacks were identified.
Amos
