Christopher, This might be a bad idea, but I have exactly the same issue with static content (simple index.html file). Also BREACH vulnerability implies three conditions, a webapp developer may decide to use TLS+gzip because one of them is not satisfied for a particular service. I suppose servers and clients should support any valid configuration.
My web application feeds its clients with large chunks of plain text data. Clients are mobile devices which are sensitive to network traffic usage, HTTP compression is a must. Thank you, Kirill On Thu, 9 May 2019 at 01:08, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Kirill, > > Is it a good idea to use TLS+gzip for dynamic services? > > http://breachattack.com/ > > ? > > - -chris > > On 5/8/19 08:27, Kirill Ilyukhin wrote: > > Mark, > > > > Could you please take a closer look to the issue? This happens with > > Safari and native apps on iOS 11 and iOS 12 which means that Tomcat > > HTTP/2 cannot be enabled for any service with iOS clients. > > > > If we open https://www.google.com in Safari (both iOS and Mac OS), > > we see that HTML and JS are received over HTTP/2 with GZIP > > compression. So in general Safari supports HTTP/2+GZIP. Could it be > > that Tomcat does some sort of HTTP/2+GZIP which conforms to all the > > specs but somehow is "Apple-incompatible"? Do you think some > > subtle changes (including crazy ones like headers order, etc) might > > fix the issue? > > > > Thank you, Kirill > > > > On Wed, 8 May 2019 at 17:08, Mark Thomas <ma...@apache.org> wrote: > > > >> Although I find it hard to believe, this looks like a browser > >> bug. There is a similar issue with FireFox: > >> https://bz.apache.org/bugzilla/show_bug.cgi?id=63354 > >> > >> I suggest opening an issue with Apple. > >> > >> Mark > >> > >> > >> > >> On 08/05/2019 05:23, Kirill Ilyukhin wrote: > >>> Hi, > >>> > >>> I am trying to run Tomcat with HTTP/2 support. Everything works > >>> perfectly fine until I enable content compression. Google > >>> Chrome on Mac OS is OK with gzip compression. Apple Safari on > >>> Mac > >> OS > >>> and iOS fail with “The operation couldn’t be completed. > >>> Protocol error” (NSPOSIXErrorDomain:100). iOS URLSession also > >>> does not work. Is it something wrong with my configuration or > >>> code? Please see below server setup, connector configuration > >>> and servlet code. > >>> > >>> Server version: Apache Tomcat/8.5.39 Server built: Mar 14 > >>> 2019 11:24:26 UTC Server number: 8.5.39.0 OS Name: Mac > >>> OS X OS Version: 10.13.6 Architecture: x86_64 JVM > >>> Version: 9.0.1+11 JVM Vendor: Oracle Corporation Loaded > >>> APR based Apache Tomcat Native library [1.2.21] using APR > >>> version [1.6.5]. APR capabilities: IPv6 [true], sendfile > >>> [true], accept filters [false], random [true]. APR/OpenSSL > >>> configuration: useAprConnector [false], useOpenSSL [true] > >>> OpenSSL successfully initialized [OpenSSL 1.0.2r 26 Feb 2019] > >>> The ["https-openssl-nio-8080"] connector has been configured to > >>> support negotiation to [h2] via ALPN > >>> > >>> > >>> <Connector port="8080" > >>> protocol="org.apache.coyote.http11.Http11NioProtocol" > >>> asyncTimeout="20000" URIEncoding="utf-8" > >>> acceptorThreadCount="1" > >>> > >>> > >> compressibleMimeType="text/html,text/xml,text/plain,text/x-json,appli > cation/javascript,application/json,text/css" > >>> > >> > compression="force" > >>> connectionTimeout="20000" minSpareThreads="2" > >>> maxThreads="1024" processorCache="512" useSendfile="true" > >>> SSLEnabled="true" secure="true" > <UpgradeProtocol > >>> className="org.apache.coyote.http2.Http2Protocol" > >>> > >>> > >> compressibleMimeType="text/html,text/xml,text/plain,text/x-json,appli > cation/javascript,application/json,text/css" > >>> > >> > compression="force" /> > >>> <SSLHostConfig><Certificate certificateKeyFile="xxx" > >>> certificateFile="yyy" certificateChainFile="zzz" type="RSA" > >>> /></SSLHostConfig> </Connector> > >>> > >>> > >>> public class TestServlet extends javax.servlet.http.HttpServlet > >>> { protected void doGet(javax.servlet.http.HttpServletRequest > >>> request, javax.servlet.http.HttpServletResponse response) > >>> throws javax.servlet.ServletException, java.io.IOException { > >>> response.setContentType("text/plain"); > >>> response.setCharacterEncoding("utf-8"); > >>> response.getWriter().write("Lorem ipsum dolor sit amet"); } } > >>> > >>> > >>> Thank you, Kirill > >>> > >> > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzS/v4ACgkQHPApP6U8 > pFiy+A/9H0nCzh6M26+BZgWkdEIsQHqRV9nmdsO/durBFKZdLQ0spexkf16JEltS > cUdAwxu8ObIgBTIitXnr4Nh2hJVJCCUVpV33ZyuKuIeTfXJo4VSEP2pkIaveaKRz > bXbo003Tt1jn6278EGEhAccad7y9IVg2Et7aOMbeuUShzsJPJNnZ7xOu1VWvXjuK > if3sz2+IwD5ch9vNqICpwOAnXbC4hUVy5M5oeAPP96OhCSp8iv4Th+X4ir3f3Mbl > s7c5m9vxfwHe/zIBBfksrWCRgm0iznrTsOzgXsqYuuxQujkcIOnslJehMhQ0vuYV > gcbJW/CxQbxSsQZmBoyBI/DECdKr5uXKkUboVOz8YpISXJyyN6BLjy2h9jjUDNRQ > HO8AaqrltGvFsD6A7vQPZDWEa8mXUUQsU8x4TDVcdNIhqg+OhbeabGDBf83RRHKs > 1U4MDyqo+tBNd6GV/7vciBENgL5NxmQ8csfWISijyM2+MvG4ucgaRXCfZfDNX0Kr > BRfoBeDKb7p+0XutxmpyjVh5VtBPD8Cy6xmJFu1Z6Q3OsLPnWZAk/fWQMUnIqBcX > egrsOjsk/A1klxVsQ/EzIbNzRB6NpoT8n0hrWpX9IIo4kyplqAn+C9VKT5pi9j6G > j0Pw6b9tKQKKTyXUkizELkbVbqngrp8wIY1QSopFEx5uS397KwE= > =Ww2J > -----END PGP SIGNATURE----- >
