crime tls attack
Igor Sysoev
igor at sysoev.ru
Wed Sep 26 06:07:57 UTC 2012
On Wed, Sep 26, 2012 at 08:49:08AM +0300, Pekka.Panula at sofor.fi wrote:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929
>
> Does we need to be worry about nginx? Can we disable SSL/TLS compression
> from server side?
For OpenSSL 1.0.0+ SSL compression was disabled since 1.1.6 and 1.0.6
as a side effect of decrease of memory consumption:
Changes with nginx 1.1.6 17 Oct 2011
Changes with nginx 1.0.9 01 Nov 2011
*) Feature: decrease of memory consumption if SSL is used.
For OpenSSL 0.9.8:
Changes with nginx 1.3.2 26 Jun 2012
Changes with nginx 1.2.2 03 Jul 2012
*) Change: SSL compression is now disabled when using all versions of
OpenSSL, including ones prior to 1.0.0.
--
Igor Sysoev
http://nginx.com/support.html
More information about the nginx
mailing list