[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

pound: TLS compression is insecure (CRIME attack) and can't be disabled

Hi this is still an issue with Pound:


I'm now using stable wheezy version:
Package: pound
Version: 2.6-2

And hosting an SSL-cert with pound results in:

This server does not mitigate the CRIME attack. Grade capped to B.

when testing with:


There is a fix listed in the bugreport and also in the repo below for both openssl 0.9.8 and openssl 1.0.0

> > My suggestion to anyone who needs PCI-DSS compliance is to run my
> branch here:
> > https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7b
> >
> > Zip here:
> > https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7b.zip
> >
> > This is based on 2.7b, and includes a bunch of patches that I
> > usually include in pound, to do things like SNI, CertDir includes,
> IncludeDir, PCRE redirects, etc.
> >
> >
> > If you don't feel comfortable running a 2.7 branch, or don't want to
> > include those patches, I've rolled a new branch:
> > https://github.com/goochjj/pound/tree/pcidss/v2.6
> > Zip here: https://github.com/goochjj/pound/archive/pcidss/v2.6.zip
> >
> > Which includes only the XSRF, SSLv2, SSL compression and cipher
> > enhancements against a 2.6 baseline.

If fell this has to get prio to backport as its a vulnerability


Reply to: