How to disable SSL compression in Hiawatha?

24 October 2016, 03:25
Hi Hugo,

First of all, thanks for the great work you are doing with Hiawatha!

I recently implemented Hiawatha reverse proxy for a few test websites I am playing with (also running on Hiawatha).

I ran the SSL check for one of the websites, you can see the result here []. It says: "This server does not mitigate the CRIME attack. Grade capped to C. "

Apparently, this can be fixed by disabling SSL compression.
Is this possible to do that in Hiawatha? If yes, could you please share how?
Do I have to do that on the reverse proxy and the web server itself as well?

I would really appreciate your help!

thanks a lot,
Hugo Leisink
24 October 2016, 05:16
Hiawatha doesn't support SSL compression. It should give you at least an A score. See here []. Are you sure there is no other proxy in front of your server?
26 October 2016, 09:50
Sorry for the late reply.
So there's Hiawatha reverse proxy, pointing to an NGINX which is in front of the Gitlab website,
Is it possible compression is enabled on the NGINX instance? That may explain it..

Hugo Leisink
26 October 2016, 15:04
No, SSL connections are terminated by Hiawatha and newly made to the backend webserver. I have no idea why you don't have an A score, but Hiawatha doesn't do SSL compression. It's even disabled in the TLS library.
This topic has been closed.