-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kirill,
On 5/8/19 23:20, Kirill Ilyukhin wrote: > This might be a bad idea, but I have exactly the same issue with > static content (simple index.html file). Also BREACH vulnerability > implies three conditions, a webapp developer may decide to use > TLS+gzip because one of them is not satisfied for a particular > service. I suppose servers and clients should support any valid > configuration. > > My web application feeds its clients with large chunks of plain > text data. Clients are mobile devices which are sensitive to > network traffic usage, HTTP compression is a must. Sounds reasonable. In any case, the server and the client should work together, regardless of whether it's a risky configuration or not. I was just wondering if maybe this incompatibility might be a non-issue. But in your case, I think it is. - -chris > On Thu, 9 May 2019 at 01:08, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Kirill, > > Is it a good idea to use TLS+gzip for dynamic services? > > http://breachattack.com/ > > ? > > -chris > > On 5/8/19 08:27, Kirill Ilyukhin wrote: >>>> Mark, >>>> >>>> Could you please take a closer look to the issue? This >>>> happens with Safari and native apps on iOS 11 and iOS 12 >>>> which means that Tomcat HTTP/2 cannot be enabled for any >>>> service with iOS clients. >>>> >>>> If we open https://www.google.com in Safari (both iOS and Mac >>>> OS), we see that HTML and JS are received over HTTP/2 with >>>> GZIP compression. So in general Safari supports HTTP/2+GZIP. >>>> Could it be that Tomcat does some sort of HTTP/2+GZIP which >>>> conforms to all the specs but somehow is >>>> "Apple-incompatible"? Do you think some subtle changes >>>> (including crazy ones like headers order, etc) might fix the >>>> issue? >>>> >>>> Thank you, Kirill >>>> >>>> On Wed, 8 May 2019 at 17:08, Mark Thomas <ma...@apache.org> >>>> wrote: >>>> >>>>> Although I find it hard to believe, this looks like a >>>>> browser bug. There is a similar issue with FireFox: >>>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=63354 >>>>> >>>>> I suggest opening an issue with Apple. >>>>> >>>>> Mark >>>>> >>>>> >>>>> >>>>> On 08/05/2019 05:23, Kirill Ilyukhin wrote: >>>>>> Hi, >>>>>> >>>>>> I am trying to run Tomcat with HTTP/2 support. Everything >>>>>> works perfectly fine until I enable content compression. >>>>>> Google Chrome on Mac OS is OK with gzip compression. >>>>>> Apple Safari on Mac >>>>> OS >>>>>> and iOS fail with “The operation couldn’t be completed. >>>>>> Protocol error” (NSPOSIXErrorDomain:100). iOS URLSession >>>>>> also does not work. Is it something wrong with my >>>>>> configuration or code? Please see below server setup, >>>>>> connector configuration and servlet code. >>>>>> >>>>>> Server version: Apache Tomcat/8.5.39 Server built: Mar >>>>>> 14 2019 11:24:26 UTC Server number: 8.5.39.0 OS Name: >>>>>> Mac OS X OS Version: 10.13.6 Architecture: x86_64 >>>>>> JVM Version: 9.0.1+11 JVM Vendor: Oracle >>>>>> Corporation Loaded APR based Apache Tomcat Native library >>>>>> [1.2.21] using APR version [1.6.5]. APR capabilities: >>>>>> IPv6 [true], sendfile [true], accept filters [false], >>>>>> random [true]. APR/OpenSSL configuration: useAprConnector >>>>>> [false], useOpenSSL [true] OpenSSL successfully >>>>>> initialized [OpenSSL 1.0.2r 26 Feb 2019] The >>>>>> ["https-openssl-nio-8080"] connector has been configured >>>>>> to support negotiation to [h2] via ALPN >>>>>> >>>>>> >>>>>> <Connector port="8080" >>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>>>> asyncTimeout="20000" URIEncoding="utf-8" >>>>>> acceptorThreadCount="1" >>>>>> >>>>>> >>>>> compressibleMimeType="text/html,text/xml,text/plain,text/x-json,ap pli > >>>>> cation/javascript,application/json,text/css" >>>>>> >>>>> > compression="force" >>>>>> connectionTimeout="20000" minSpareThreads="2" >>>>>> maxThreads="1024" processorCache="512" >>>>>> useSendfile="true" SSLEnabled="true" secure="true" > >>>>>> <UpgradeProtocol >>>>>> className="org.apache.coyote.http2.Http2Protocol" >>>>>> >>>>>> >>>>> compressibleMimeType="text/html,text/xml,text/plain,text/x-json,ap pli > >>>>> cation/javascript,application/json,text/css" >>>>>> >>>>> > compression="force" /> >>>>>> <SSLHostConfig><Certificate certificateKeyFile="xxx" >>>>>> certificateFile="yyy" certificateChainFile="zzz" >>>>>> type="RSA" /></SSLHostConfig> </Connector> >>>>>> >>>>>> >>>>>> public class TestServlet extends >>>>>> javax.servlet.http.HttpServlet { protected void >>>>>> doGet(javax.servlet.http.HttpServletRequest request, >>>>>> javax.servlet.http.HttpServletResponse response) throws >>>>>> javax.servlet.ServletException, java.io.IOException { >>>>>> response.setContentType("text/plain"); >>>>>> response.setCharacterEncoding("utf-8"); >>>>>> response.getWriter().write("Lorem ipsum dolor sit amet"); >>>>>> } } >>>>>> >>>>>> >>>>>> Thank you, Kirill >>>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------ - --- >>>>> >>>>> > >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: >>>>> users-h...@tomcat.apache.org >>>>> >>>>> >>>> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzUSWQACgkQHPApP6U8 pFgLIQ//WRdSZjlFtoxka7pT17OLvZEweyBgn7UK4If6MVZOW2zBam2X+QYK6zaY RzVJDsxujrhI5ZqbceJSqv5V+vykiLMMAsuU0EJBltcd9dEWkOOP1pcJtQzIT03m T9YD/cuTqMeNZsnxOhqPcMSh3nEYKF4ubmnlwKi/4rQxGZC7uLQxv7Bz1GR+LN9R jDxJsxN4eMnK6y5lI8aGE3m1GdBXCx875UtQpARnFuHn4Xa+PTqlPNJJhV0hhgKT vFSp9nj7rdz2WBu7MML4OqZXjxBBi8xcbOOyfyLflaRTYiFIclbokx3Gxk5HP6N3 x7mkvhyvw45GmIJcZF5jpOtg2OKzZbxUYDmLsYI3zfx5/BJ/dVyYtZkkRXIT56ko XPJyUH13QKTwBZCj7LfTLwrsVfmiqYipvSwn0Vbbu2jheQoOGxWsFmTrg0HlulTt iEiAVwSricw6kyWA1vNsuj9+K0wyndoPcJJc4LdVXxxdu3ltdIWmAnke1XFO2IBU CsOXNUb89oPy4pCLFRU64ICy1QxQtkK92/cwII7J81qGazJzsn8/4fVZflKDEJxO iHFwhY8SMktrjUXRt1iqJ/mRgrC3bdPzTNBcVEG/3nwvnfIEazuav6jTdjXf+HJj pTqTzFT9ZahfObaIouRhMWtNTjBCh/n3+QadsstZUxUnopLa+XE= =rvym -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
