From: "mame (Yusuke Endoh)" Date: 2013-02-14T03:02:16+09:00 Subject: [ruby-core:52219] [ruby-trunk - Feature #7846][Assigned] [ext/openssl] Disable TLS/SSL compression by default? Issue #7846 has been updated by mame (Yusuke Endoh). Status changed from Feedback to Assigned Assignee changed from mame (Yusuke Endoh) to MartinBosslet (Martin Bosslet) Target version changed from 2.0.0 to next minor Thank you for contacting me. Sorry, but it is too late for 2.0.0. Marking the target to next minor. I'm not against the idea itself; this is not a question of "if" but "when". Changing the default configuration now looks to me dangerous rather than safe, unless we have an actual issue. It looks less dangerous than #7780, though. As you may be concerned, it is actually difficult to change it in 2.0.0-pXXX because of compatibility. But I guess that it is possible in the near future, maybe, 2.0.1 or 2.1.0. Could you please implement and commit it to trunk first, so that we can backport it quickly just in case? Thank you for always maintaining the openssl ext! -- Yusuke Endoh ---------------------------------------- Feature #7846: [ext/openssl] Disable TLS/SSL compression by default? https://bugs.ruby-lang.org/issues/7846#change-36245 Author: MartinBosslet (Martin Bosslet) Status: Assigned Priority: Normal Assignee: MartinBosslet (Martin Bosslet) Category: ext Target version: next minor I'd like to disable TLS compression for all TLS connections by default using SSL_OP_NO_COMPRESSION to effectively disable CRIME-like attacks [1]. The patch would be relatively easy to write, but I'm aware that I'm well beyond the deadline for implementing new features. I'm sorry I couldn't raise this issue earlier, but I still feel this is something that should make it into 2.0.0 because - We already included a similar fix to prevent the BEAST attack. CRIME is its logical descendant, so it would be only consequent to prevent it by default, too. - If it's not added now, somebody else outside ruby-core might report it in the future anyway :) I have to admit that I'm not sure if this could negatively affect any existing installations, though. It shouldn't, as this is normally a completely transparent feature that nobody should explicitly rely on, but of course, I can't give any guarantees. What do you think, may I still implement this for 2.0.0? If accepted, please reassign to me! [1] http://comments.gmane.org/gmane.comp.encryption.openssl.devel/21638 -- http://bugs.ruby-lang.org/