crime tls attack

Igor Sysoev igor at sysoev.ru
Wed Sep 26 06:07:57 UTC 2012


On Wed, Sep 26, 2012 at 08:49:08AM +0300, Pekka.Panula at sofor.fi wrote:

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929
> 
> Does we need to be worry about nginx? Can we disable SSL/TLS compression 
> from server side?

For OpenSSL 1.0.0+ SSL compression was disabled since 1.1.6 and 1.0.6
as a side effect of decrease of memory consumption:

Changes with nginx 1.1.6                                         17 Oct 2011
Changes with nginx 1.0.9                                         01 Nov 2011

    *) Feature: decrease of memory consumption if SSL is used.

For OpenSSL 0.9.8:

Changes with nginx 1.3.2                                         26 Jun 2012
Changes with nginx 1.2.2                                         03 Jul 2012

    *) Change: SSL compression is now disabled when using all versions of
       OpenSSL, including ones prior to 1.0.0.


-- 
Igor Sysoev
http://nginx.com/support.html



More information about the nginx mailing list