Inbound SSL Decryption Fails when SSL Compression is Enabled

Inbound SSL Decryption Fails when SSL Compression is Enabled

Created On 09/26/18 20:33 PM - Last Modified 02/07/19 23:37 PM



Inbound SSL decryption fails even if a valid certificate and supported cipher suite are used. This may occur when Apache is used as a web server and curl (or old version of Chrome/FireFox) is used as a client.



The issue occurs when SSL Compression is enabled on both client and server.

To verify, take a packet capture and look for "Compression Method" in "Client Hello" and "Server Hello".

Screen Shot 2013-02-04 at 3.55.41 PM.png

Screen Shot 2013-02-04 at 3.57.23 PM.png



SSL Compression is disabled by default in most of the latest clients and web servers due to a security issue called "CRIME attack". The resolution is to use newer versions of server and client software.

  • Update Apache to 2.4.3 or later which has an option to disable SSL Compression ("SSLCompression").
  • Update Curl to 7.28.1 or later.
  • Use the latest version of Chrome or FireFox.   (IE, Safari and Opera have never supported SSL Compression.)


owner: ymiyashita

  • Print
  • Copy Link

Choose Language