Because of CRIME, as I understand, compression on SSL connections have to be turned off. In newer versions of apache this can be done with a newly introduced directive SSLCompression off
, in older versions this is not possible (in Debian before version 2.2.16-6+squeeze10).
I think I have found a way to achieve this in older versions, but I am not sure why in some online tests, like the Qualsys SSL Test it indicates compression is still on. My test do show something different. Could anyone please review the configuration code and tell me, what I do not understand right?
Use the following directives from mod_headers inside a SSL virtual host block to switch off compression:
RequestHeader unset Accept-Encoding
Header unset Vary
This removes the header line from the client request indicating the response may be sent compressed to the client.
Testing this with curl and the --raw switch, I see that non-ssl connections are compressed and ssl connections are cleartext. Use...
curl --raw -k -H 'Accept-Encoding: gzip,deflate' http://host.example.tld
...to check.
Some online testing tool still tell me my solution does not work, while others say the contrary. Now I wonder wether my solution to turn off compression for ssl connection is working or not?