Libravatar (obsolete)

Disable TLS compression

Bug #1050189 reported by François Marier
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar (obsolete)
Fix Released
High
François Marier

Bug Description

Once we are on Apache 2.4.3, we should disable TLS compression:

  https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslcompression

there are rumors that it can lead to an attack on TLS:

  http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor/19914#19914
  https://chromiumcodereview.appspot.com/10825183

François Marier (fmarier)
tags: added: ssl wheezy
François Marier (fmarier)
tags: added: jessie
removed: wheezy
Revision history for this message
François Marier (fmarier) wrote :

This has been deployed on production.

Changed in libravatar:
status: Confirmed → Fix Released
importance: Undecided → High
assignee: nobody → François Marier (fmarier)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.