-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Raul,
On 7/28/16 2:25 PM, Martinez Maestre, Raul (CIT-IOEP) wrote:
> Hi,
>
>
>
> I have configured APR with the following versions for components
>
> -APR version 1.5.2
>
> - Open SSL version openssl-1.0.2h
>
> - Apache Tomcat Native library 1.2.7
>
>
>
> The HTTPS connector on server.xml is the shown below. All works
> properly ex= cept compression, no way to have contents compressed
> in client side. Someon= e knows what could be missing?
How are you determining that compression is not being used?
I'm confused. You seem to be enabling compression at a number of places:
> compression=3D"on"
This should enable gzip compression of the message bodies.
> compressionMinSize="2048"
> compressableMimeType="text/html,text/xml,text/plain,text/css,te=
> xt/javascript,text/json,application/x-javascript,application/javascrip
t,app=
>
>
lication/json"
This further configures HTTP-compression.
> />
h2 enables compression by default.
>
I think OpenSSL disabled compression by default to mitigate the CRIME
attack. Their changelog[1] indicates that happened between 1.0.1h and
1.1.0, and I can't seem to find a similar change that directly affects
your version. Try re-building OpenSSL with zlib support included (use
either the "zlib" or "zlib-dynamic" build options).
You may also be at the mercy of your OS's OpenSSL package maintainers.
If you don't have zlib built-in, then you can't use compression even
if you want to. If you DO have zlib built-in, you can configure the
library to allow compression, but there is no direct-support for
enabling this option from Tomcat.
Given the CRIME vulnerability, I don't think you want to enable
compression for TLS.
Also, the default value for "useSendfile" is "true", and when sendfile
is in use, HTTP compression is disabled.
So, which compression were you trying to enable? TLS compression is a
bad idea, so you should try setting useSendfile="false" and trying again
.
Hope that helps,
- -chris
[1] https://www.openssl.org/news/changelog.html (search for CRIME)
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAled8WsACgkQ9CaO5/Lv0PCadACdHhS5/k3gqVis5VeX6nha5W+Y
lhoAoKYIjAC0lVOLCfJ47/HM9toFixXk
=9GCe
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
