307121 - NSS does not support SSL compression (RFC 3749)

Status: VERIFIED DUPLICATE of bug 275744

(NSS :: Libraries, enhancement)

Description

[Georg v. Zezschwitz]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.10) Gecko/20050717 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.7.10) Gecko/20050717 Firefox/1.0.6

Quite few people know: SSLv3 + TLS Hello do not only negotiate the cipher
algorithms, but also the list of supported compression algorithms. In May 2004,
RFC 3749 made Code 1 for gzip/deflate compression the first standard SSL
compression algorith. OpenSSL 0.9.8 (when compiled with "zlib") supports it from
the scratch, so Apache with OpenSSL 0.9.8 (zlib) does.
Once SSLv2 support is dropped, SSL compression might be *the* standard
compression. Right: HTTP has its compression algorith, but SMTP / IMAP do not.
So, e.g. Thunderbird with an OpenSSL based server on the other side would use
compresion - based on open standards.

Sorry, I am certainly not the expert for this issue - but my impression is
nearly nobody knows about SSL compression. Sorry, if I am wrong.

Reproducible: Always

Steps to Reproduce:
For testing a working SSL compression, do e.g.:
- Build OpenSSL 0.9.8 with "zlib"-option
- Start a background tcpdump/snoop
- Type: openssl s_client -ssl3 -connect www.vodafone.de:443
If SSL compression is supported, the following output will appear:
...
SSL-Session:
    Protocol  : SSLv3
...
    Cipher    : DHE-RSA-AES256-SHA
...
    Key-Arg   : None
   Compression: 1 (zlib compression)
    Start Time: 1125934288
...

Now you can compare your packet sniffing results with non-ssl-compression sites.

Comment 1

[Josh Birnbaum]

*** This bug has been marked as a duplicate of 275744 ***