On Aug 18, 2013, at 21:09 , itpp2012 wrote:
> Igor Sysoev Wrote:
> -------------------------------------------------------
>> Yes, modern nginx versions do not use SSL compression.
> [...]
>> You have to split the dual mode server section into two server server
>> sections and set "gzip off"
>> SSL-enabled on. There is no way to disable gzip in dual mode server
>> section, but if you really
>> worry about security in general the server sections should be
>> different.
>
> If modern versions do not use ssl compression why split a dual mode server?
> If gzip is on in the http section, what happens then to the ssl section of a
> dual mode server?
These are different vulnerabilities: SSL compression is subject to
CRIME vulnerability while HTTP/SSL compression is subject to BREACH
vulnerability.
--
Igor Sysoev
http://nginx.com/services.html
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx