pound: TLS compression is insecure (CRIME attack) and can't be disabled
Hi this is still an issue with Pound:
I'm now using stable wheezy version:
And hosting an SSL-cert with pound results in:
This server does not mitigate the CRIME attack. Grade capped to B.
when testing with:
There is a fix listed in the bugreport and also in the repo below for
both openssl 0.9.8 and openssl 1.0.0
> > My suggestion to anyone who needs PCI-DSS compliance is to run my
> branch here:
> > https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7b
> > Zip here:
> > https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7b.zip
> > This is based on 2.7b, and includes a bunch of patches that I
> > usually include in pound, to do things like SNI, CertDir includes,
> IncludeDir, PCRE redirects, etc.
> > If you don't feel comfortable running a 2.7 branch, or don't want to
> > include those patches, I've rolled a new branch:
> > https://github.com/goochjj/pound/tree/pcidss/v2.6
> > Zip here: https://github.com/goochjj/pound/archive/pcidss/v2.6.zip
> > Which includes only the XSRF, SSLv2, SSL compression and cipher
> > enhancements against a 2.6 baseline.
If fell this has to get prio to backport as its a vulnerability