Feature #7846
closed
[ext/openssl] Disable TLS/SSL compression by default?
Description
I'd like to disable TLS compression for all TLS connections by default using SSL_OP_NO_COMPRESSION
to effectively disable CRIME-like attacks [1].
The patch would be relatively easy to write, but I'm aware that I'm well beyond the deadline for
implementing new features. I'm sorry I couldn't raise this issue earlier, but I still feel this is
something that should make it into 2.0.0 because
- We already included a similar fix to prevent the BEAST attack. CRIME is its logical descendant,
so it would be only consequent to prevent it by default, too. - If it's not added now, somebody else outside ruby-core might report it in the future anyway :)
I have to admit that I'm not sure if this could negatively affect any existing installations, though.
It shouldn't, as this is normally a completely transparent feature that nobody should explicitly rely
on, but of course, I can't give any guarantees.
What do you think, may I still implement this for 2.0.0? If accepted, please reassign to me!
[1] http://comments.gmane.org/gmane.comp.encryption.openssl.devel/21638
Updated by mame (Yusuke Endoh) about 12 years ago
- Status changed from Feedback to Assigned
- Assignee changed from mame (Yusuke Endoh) to MartinBosslet (Martin Bosslet)
- Target version changed from 2.0.0 to 2.6
Thank you for contacting me.
Sorry, but it is too late for 2.0.0. Marking the target to next minor.
I'm not against the idea itself; this is not a question of "if" but "when".
Changing the default configuration now looks to me dangerous rather than safe, unless we have an actual issue. It looks less dangerous than #7780, though.
As you may be concerned, it is actually difficult to change it in 2.0.0-pXXX because of compatibility.
But I guess that it is possible in the near future, maybe, 2.0.1 or 2.1.0.
Could you please implement and commit it to trunk first, so that we can backport it quickly just in case?
Thank you for always maintaining the openssl ext!
--
Yusuke Endoh mame@tsg.ne.jp
Updated by MartinBosslet (Martin Bosslet) about 12 years ago
mame (Yusuke Endoh) wrote:
Thank you for contacting me.
Sorry, but it is too late for 2.0.0. Marking the target to next minor.
I'm not against the idea itself; this is not a question of "if" but "when".
Changing the default configuration now looks to me dangerous rather than safe, unless we have an actual issue. It looks less dangerous than #7780, though.
Thank you, I fully understand - I wasn't entirely sure about introducing it at this point either. Even if it looks unsuspicious, one never knows :)
As you may be concerned, it is actually difficult to change it in 2.0.0-pXXX because of compatibility.
But I guess that it is possible in the near future, maybe, 2.0.1 or 2.1.0.Could you please implement and commit it to trunk first, so that we can backport it quickly just in case?
Sure, I'll do that!
Thank you for always maintaining the openssl ext!
You're welcome, it's my pleasure!
Updated by zzak (zzak _) over 9 years ago
- Assignee changed from MartinBosslet (Martin Bosslet) to 7150
Updated by zzak (zzak _) over 9 years ago
- Status changed from Assigned to Closed
Completed in r45274:
https://github.com/ruby/ruby/commit/699b209cf8cf11809620e12985ad33ae33b119ee