Feature #7846
closed[ext/openssl] Disable TLS/SSL compression by default?
Description
I'd like to disable TLS compression for all TLS connections by default using SSL_OP_NO_COMPRESSION
to effectively disable CRIME-like attacks [1].
The patch would be relatively easy to write, but I'm aware that I'm well beyond the deadline for
implementing new features. I'm sorry I couldn't raise this issue earlier, but I still feel this is
something that should make it into 2.0.0 because
- We already included a similar fix to prevent the BEAST attack. CRIME is its logical descendant,
so it would be only consequent to prevent it by default, too. - If it's not added now, somebody else outside ruby-core might report it in the future anyway :)
I have to admit that I'm not sure if this could negatively affect any existing installations, though.
It shouldn't, as this is normally a completely transparent feature that nobody should explicitly rely
on, but of course, I can't give any guarantees.
What do you think, may I still implement this for 2.0.0? If accepted, please reassign to me!
[1] http://comments.gmane.org/gmane.comp.encryption.openssl.devel/21638