ruby-core

Issue #7846 has been updated by Zachary Scott.

Assignee changed from Martin Bosslet to openssl

----------------------------------------
Feature #7846: [ext/openssl] Disable TLS/SSL compression by default?
https://bugs.ruby-lang.org/issues/7846#change-54132

* Author: Martin Bosslet
* Status: Assigned
* Priority: Normal
* Assignee: openssl
----------------------------------------
I'd like to disable TLS compression for all TLS connections by default using SSL_OP_NO_COMPRESSION
to effectively disable CRIME-like attacks [1].

The patch would be relatively easy to write, but I'm aware that I'm well beyond the deadline for
implementing new features. I'm sorry I couldn't raise this issue earlier, but I still feel this is
something that should make it into 2.0.0 because

- We already included a similar fix to prevent the BEAST attack. CRIME is its logical descendant,
  so it would be only consequent to prevent it by default, too.
- If it's not added now, somebody else outside ruby-core might report it in the future anyway :)

I have to admit that I'm not sure if this could negatively affect any existing installations, though.
It shouldn't, as this is normally a completely transparent feature that nobody should explicitly rely
on, but of course, I can't give any guarantees. 

What do you think, may I still implement this for 2.0.0? If accepted, please reassign to me!

[1] http://comments.gmane.org/gmane.comp.encryption.openssl.devel/21638



-- 
https://bugs.ruby-lang.org/