Welcome! Log In Create A New Profile


Re: crime tls attack

September 26, 2012 02:10AM
On Wed, Sep 26, 2012 at 08:49:08AM +0300, Pekka.Panula@sofor.fi wrote:

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929
> Does we need to be worry about nginx? Can we disable SSL/TLS compression
> from server side?

For OpenSSL 1.0.0+ SSL compression was disabled since 1.1.6 and 1.0.6
as a side effect of decrease of memory consumption:

Changes with nginx 1.1.6 17 Oct 2011
Changes with nginx 1.0.9 01 Nov 2011

*) Feature: decrease of memory consumption if SSL is used.

For OpenSSL 0.9.8:

Changes with nginx 1.3.2 26 Jun 2012
Changes with nginx 1.2.2 03 Jul 2012

*) Change: SSL compression is now disabled when using all versions of
OpenSSL, including ones prior to 1.0.0.

Igor Sysoev

nginx mailing list
Subject Author Posted

crime tls attack

Anonymous User September 26, 2012 01:50AM

Re: crime tls attack

Igor Sysoev September 26, 2012 02:10AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 83
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready