Crime tls attack

Hi

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929

Does we need to be worry about nginx? Can we disable SSL/TLS compression
from server side?
Pekka Panula | Jatkuvat palvelut | Sofor Oy | www.sofor.fi
Takakaarre 3 | PL 51 |FIN-62201 KAUHAVA | tel. +358 6 432 3111 | fax.
+358
6 432 3555
Mob. + 358 50 384 3232 | [email protected]

On Wed, Sep 26, 2012 at 08:49:08AM +0300, [email protected] wrote:

NVD - CVE-2012-4929

Does we need to be worry about nginx? Can we disable SSL/TLS compression
from server side?

For OpenSSL 1.0.0+ SSL compression was disabled since 1.1.6 and 1.0.6
as a side effect of decrease of memory consumption:

Changes with nginx 1.1.6 17 Oct
2011
Changes with nginx 1.0.9 01 Nov
2011

*) Feature: decrease of memory consumption if SSL is used.

For OpenSSL 0.9.8:

Changes with nginx 1.3.2 26 Jun
2012
Changes with nginx 1.2.2 03 Jul
2012

*) Change: SSL compression is now disabled when using all versions 

of
OpenSSL, including ones prior to 1.0.0.


Igor S.