Welcome! Log In Create A New Profile

Advanced

Re: crime tls attack

September 26, 2012 02:10AM
On Wed, Sep 26, 2012 at 08:49:08AM +0300, Pekka.Panula@sofor.fi wrote:

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929
>
> Does we need to be worry about nginx? Can we disable SSL/TLS compression
> from server side?

For OpenSSL 1.0.0+ SSL compression was disabled since 1.1.6 and 1.0.6
as a side effect of decrease of memory consumption:

Changes with nginx 1.1.6 17 Oct 2011
Changes with nginx 1.0.9 01 Nov 2011

*) Feature: decrease of memory consumption if SSL is used.

For OpenSSL 0.9.8:

Changes with nginx 1.3.2 26 Jun 2012
Changes with nginx 1.2.2 03 Jul 2012

*) Change: SSL compression is now disabled when using all versions of
OpenSSL, including ones prior to 1.0.0.


--
Igor Sysoev
http://nginx.com/support.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

crime tls attack

Anonymous User September 26, 2012 01:50AM

Re: crime tls attack

Igor Sysoev September 26, 2012 02:10AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 90
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 254 on July 05, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready