William A. Rowe, Jr. wrote:
But if mod_deflate doesn't use it, and openssl is built zlib-dynamic,
they simply pitched compression from ssl sessions as well with no other
adverse effects.
Yes, exactly. openssl doesn't select gzip compression if zlib-dynamic
and zlib1.dll is missing.
The other aspect, if a zlib1.dll replacement is needed for some critical
decryption flaw in zlib again, it will be nice not to force users to
entirely replace openssl or mod_deflate. So I expect we'll leave it
as-is.
I think mod_deflate on Windows links statically (zlib.lib) while openssl
is linked dynamically (zdll.lib). At 40-60kb it's no big deal either
way - but the "security flaw in zlib" argument would seem to apply to
both equally. Both static or both dynamic would be more consistent.
-tom-
