On 3/9/18 09:06, Magnus Hagander wrote: > What platform does that actually work out of the box on? I have > customers who actively want to use it (for compression, not security -- > replication across limited and metered links), and the amount of > workarounds they have to put in place OS level to get it working is > increasingly complicated.
It was disabled in OpenSSL 1.1.0:
I am not talking about the OpenSSL disabling it. It was disabled on most *distributions* years ago, long before that commit. Which is why I'm still curious as to what platform you actually got it enabled by default on...
*) CRIME protection: disable compression by default, even if OpenSSL is compiled with zlib enabled. Applications can still enable compression by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using the SSL_CONF library to configure compression. [Emilia Käsper]
So for your purposes, you could add a server option to turn it back on.
Such a server option would also be useful for those users who are using OpenSSL <1.1.0 and want to turn off compression on the server side.
We'd probably have to put in the distribution specific workarounds like mentioned above to make it actually useful for that.