Pivotal Knowledge Base


Is SSL/TLS Compression disabled by default in vFabric Web Server 5.2.1?

The vFabric Web Server 5.2.x Release Notes (https://www.vmware.com/support/vfabric-platform/doc/vfabric-web-server-rn-5.2.0.html) include the following:

What's New in vFabric Web Server 5.2.1

This vFabric Web Server release includes the following new features and changes:

    • Disabled SSL/TLS Compression. OpenSSL compression is now disabled by default for protection against the CRIME exploit vector. The mod_ssl "SSLCompression on" configuration option is added to allow the administrator to re-enable compression. SeeVulnerability Summary for CVE-2012-4929.

Unfortunately, this is not correct. Compression is not disabled by default until the later vFabric Web Server 5.3.x versions and the SSLCompression directive is not available in mod_ssl until the 5.3.0 version. 

Since vFabric Web Server 5.2.0 reached its end of support on 09/14/2014, and since upgrading to a more current version provides these capabilities, there will be no patch or documentation change created.


Powered by Zendesk