According to [1], TLS compression is still the default configuration of OpenSSL. This opens OpenSSL and all dependent tools (python, ruby, etc.) to the CRIME attack.
I've already received push back from some of these tools that "OpenSSL should just fix this" and while I'm working on convincing them that they have to own their security, correcting this would fix a huge number of tools in the future. [1] http://www.openssl.org/docs/ssl/SSL_CONF_cmd.html ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
