5

When I'm browsing to my SSL protected site running nginx with Chrome, I see I'm using TLS 1.0, AES_256_CBC with SHA-1, and DHE_RSA as key exchange. That's all good and in conformance with my cipher suite settings.

However, I'm using DEFLATE compression too. Which is superfluous in my opinion, since all the needed content (mainly JSON files) is already gzip compressed. Is there any way I can turn off deflate compression for SSL usage in nginx?

Improve this question
2
  • 3
    What did you know a month ago? It looks like there may be a critical vulnerability in SSL compression. See here: security.stackexchange.com/questions/19911/… Commented Sep 11, 2012 at 12:27
  • 1
    @Nate nothing in special, I found it however interesting both nginx and OpenSSL disabled SSL compression. Commented Sep 12, 2012 at 6:55

1 Answer 1

Reset to default
9

SSL compression is turned off by default in nginx 1.1.6+/1.0.9+ (if OpenSSL 1.0.0+ used) and nginx 1.3.2+/1.2.2+ (if older versions of OpenSSL are used). If you see SSL compression, you probably want to upgrade nginx.

Another obvious solution is to recompile OpenSSL without zlib compression support (which is actually the default).

Improve this answer
6
  • I'm using nginx/1.2.1 (from Debian squeeze backports) and OpenSSL 0.9.8o (standard in Debian squeeze). This means I can't turn off DEFLATE when I'm not willing to compile from source? Commented Aug 15, 2012 at 7:07
  • 2
    You may install newer binary package e.g. from nginx.org. Commented Aug 15, 2012 at 16:20
  • I still see compression with nginx 1.2.2 and openssl 0.9.8k. I ended up rebuilding the openssl package with compression disabled. Commented Sep 13, 2012 at 20:39
  • @alberge If you used precompiled nginx binary, this is possible if it was compiled with OpenSSL 1.0.0+. In this case workaround to disable compression in older OpenSSL versions isn't used and nginx instead will set an option to disable compression (but the option isn't understood by your OpenSSL 0.9.8k, hence you see compression). Commented Sep 17, 2012 at 9:24
  • Is it possible to turn it on? I know it's bad. Commented Oct 20, 2015 at 3:39

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.