[ruby-core:52217] [ruby-trunk - Feature #7846][Feedback] [ext/openssl] Disable TLS/SSL compression by default?

< ^ > P N |<>| ^ _>< --- | ~ ...Help
Issue #7846 has been reported by MartinBosslet (Martin Bosslet).

----------------------------------------
Feature #7846: [ext/openssl] Disable TLS/SSL compression by default?
https://bugs.ruby-lang.org/issues/7846

Author: MartinBosslet (Martin Bosslet)
Status: Feedback
Priority: Normal
Assignee: mame (Yusuke Endoh)
Category: ext
Target version: 2.0.0


I'd like to disable TLS compression for all TLS connections by default using SSL_OP_NO_COMPRESSION
to effectively disable CRIME-like attacks [1].

The patch would be relatively easy to write, but I'm aware that I'm well beyond the deadline for
implementing new features. I'm sorry I couldn't raise this issue earlier, but I still feel this is
something that should make it into 2.0.0 because

- We already included a similar fix to prevent the BEAST attack. CRIME is its logical descendant,
  so it would be only consequent to prevent it by default, too.
- If it's not added now, somebody else outside ruby-core might report it in the future anyway :)

I have to admit that I'm not sure if this could negatively affect any existing installations, though.
It shouldn't, as this is normally a completely transparent feature that nobody should explicitly rely
on, but of course, I can't give any guarantees. 

What do you think, may I still implement this for 2.0.0? If accepted, please reassign to me!

[1] http://comments.gmane.org/gmane.comp.encryption.openssl.devel/21638


-- 
http://bugs.ruby-lang.org/