From: "MartinBosslet (Martin Bosslet)" Date: 2013-02-14T03:33:21+09:00 Subject: [ruby-core:52221] [ruby-trunk - Feature #7846] [ext/openssl] Disable TLS/SSL compression by default? Issue #7846 has been updated by MartinBosslet (Martin Bosslet). mame (Yusuke Endoh) wrote: > Thank you for contacting me. > > Sorry, but it is too late for 2.0.0. Marking the target to next minor. > > I'm not against the idea itself; this is not a question of "if" but "when". > Changing the default configuration now looks to me dangerous rather than safe, unless we have an actual issue. It looks less dangerous than #7780, though. Thank you, I fully understand - I wasn't entirely sure about introducing it at this point either. Even if it looks unsuspicious, one never knows :) > As you may be concerned, it is actually difficult to change it in 2.0.0-pXXX because of compatibility. > But I guess that it is possible in the near future, maybe, 2.0.1 or 2.1.0. > > Could you please implement and commit it to trunk first, so that we can backport it quickly just in case? Sure, I'll do that! > Thank you for always maintaining the openssl ext! > You're welcome, it's my pleasure! ---------------------------------------- Feature #7846: [ext/openssl] Disable TLS/SSL compression by default? https://bugs.ruby-lang.org/issues/7846#change-36246 Author: MartinBosslet (Martin Bosslet) Status: Assigned Priority: Normal Assignee: MartinBosslet (Martin Bosslet) Category: ext Target version: next minor I'd like to disable TLS compression for all TLS connections by default using SSL_OP_NO_COMPRESSION to effectively disable CRIME-like attacks [1]. The patch would be relatively easy to write, but I'm aware that I'm well beyond the deadline for implementing new features. I'm sorry I couldn't raise this issue earlier, but I still feel this is something that should make it into 2.0.0 because - We already included a similar fix to prevent the BEAST attack. CRIME is its logical descendant, so it would be only consequent to prevent it by default, too. - If it's not added now, somebody else outside ruby-core might report it in the future anyway :) I have to admit that I'm not sure if this could negatively affect any existing installations, though. It shouldn't, as this is normally a completely transparent feature that nobody should explicitly rely on, but of course, I can't give any guarantees. What do you think, may I still implement this for 2.0.0? If accepted, please reassign to me! [1] http://comments.gmane.org/gmane.comp.encryption.openssl.devel/21638 -- http://bugs.ruby-lang.org/