SSL compression doesn't work
Description
Environment
Smart Checklist
Activity
Julia Vural March 4, 2025 at 9:28 PM
It appears that this issue is no longer being worked on, so we are closing it for housekeeping purposes. If you believe the issue still exists, please open a new ticket after confirming it's present in the latest release.
Vlad Lasky July 8, 2021 at 6:33 AM
I'm using Percona XtraDB Cluster 8.0.23-14.1 and also cannot get SSL compression enabled, not matter what cipher I try.
XtraDB Cluster is generating a lot of traffic between nodes. We really need to reduce this by having SSL compression enabled.
Can we please make the changes needed to re-enable support.
I'm also aware of the CRIME/BREACH exploits, but I think they are mainly a concern for HTTPS web servers on the public Internet that accept requests from anyone and not for this application that involves private communication between XtraDB nodes.
Thanks.
Details
Details
Assignee
Reporter
KennTLabels
Affects versions
Priority
MediumSmart Checklist
Open Smart Checklist
Smart Checklist
OpenSSL changed the default to "no compression" due to the CRIME/BREACH exploits that depended on information leakage due to compression.
However, the Galera code was not updated to enable compression if specified.
Affects both 5.6 and 5.7
$ nmap -sT -PN -p 4130 192.168.86.105 --script ./ssl-enum-ciphers.nse
Starting Nmap 7.01 ( https://nmap.org ) at 2017-06-13 08:17 PDT
Nmap scan report for 192.168.86.105
Host is up (0.000088s latency).
PORT STATE SERVICE
4130/tcp open unknown
ssl-enum-ciphers:
TLSv1.1:
ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
compressors:
NULL
cipher preference: indeterminate
cipher preference error: Too few ciphers supported
TLSv1.2:
ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
compressors:
NULL
cipher preference: indeterminate
cipher preference error: Too few ciphers supported
_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds