5

When I'm browsing to my SSL protected site running nginx with Chrome, I see I'm using TLS 1.0, AES_256_CBC with SHA-1, and DHE_RSA as key exchange. That's all good and in conformance with my cipher suite settings.

However, I'm using DEFLATE compression too. Which is superfluous in my opinion, since all the needed content (mainly JSON files) is already gzip compressed. Is there any way I can turn off deflate compression for SSL usage in nginx?

hvtilborg
  • 217
  • 1
  • 2
  • 5
  • 3
    What did you know a month ago? It looks like there may be a critical vulnerability in SSL compression. See here: http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor – Nate Sep 11 '12 at 12:27
  • 1
    @Nate nothing in special, I found it however interesting both nginx and OpenSSL disabled SSL compression. – hvtilborg Sep 12 '12 at 06:55

1 Answers1

8

SSL compression is turned off by default in nginx 1.1.6+/1.0.9+ (if OpenSSL 1.0.0+ used) and nginx 1.3.2+/1.2.2+ (if older versions of OpenSSL are used). If you see SSL compression, you probably want to upgrade nginx.

Another obvious solution is to recompile OpenSSL without zlib compression support (which is actually the default).

Maxim Dounin
  • 3,466
  • 17
  • 22
  • I'm using nginx/1.2.1 (from [Debian squeeze backports](http://packages.debian.org/squeeze-backports/nginx)) and OpenSSL 0.9.8o (standard in Debian squeeze). This means I can't turn off DEFLATE when I'm not willing to compile from source? – hvtilborg Aug 15 '12 at 07:07
  • 2
    You may install newer binary package e.g. from [nginx.org](http://nginx.org/en/download.html). – Maxim Dounin Aug 15 '12 at 16:20
  • I still see compression with nginx 1.2.2 and openssl 0.9.8k. I ended up rebuilding the openssl package with compression disabled. – A B Sep 13 '12 at 20:39
  • @alberge If you used precompiled nginx binary, this is possible if it was compiled with OpenSSL 1.0.0+. In this case workaround to disable compression in older OpenSSL versions isn't used and nginx instead will set an option to disable compression (but the option isn't understood by your OpenSSL 0.9.8k, hence you see compression). – Maxim Dounin Sep 17 '12 at 09:24
  • Is it possible to turn it on? I know it's bad. – laike9m Oct 20 '15 at 03:39
  • @laike9m, you'll have to edit nginx sources to do this, look for SSL_OP_NO_COMPRESSION in src/event/ngx_event_openssl.c. Note though, that this is bad _and_ inefficient, as compression contexts consume lots of memory. – Maxim Dounin Oct 20 '15 at 14:33