Ruby » Ruby master

I'd like to disable TLS compression for all TLS connections by default using SSL_OP_NO_COMPRESSION
to effectively disable CRIME-like attacks [1].

The patch would be relatively easy to write, but I'm aware that I'm well beyond the deadline for
implementing new features. I'm sorry I couldn't raise this issue earlier, but I still feel this is
something that should make it into 2.0.0 because

• We already included a similar fix to prevent the BEAST attack. CRIME is its logical descendant,
  so it would be only consequent to prevent it by default, too.
• If it's not added now, somebody else outside ruby-core might report it in the future anyway :)

I have to admit that I'm not sure if this could negatively affect any existing installations, though.
It shouldn't, as this is normally a completely transparent feature that nobody should explicitly rely
on, but of course, I can't give any guarantees.

What do you think, may I still implement this for 2.0.0? If accepted, please reassign to me!

[1] http://comments.gmane.org/gmane.comp.encryption.openssl.devel/21638