#4249 no_sslcompression seems to have no effect (trying to mitigate TLS CRIME Vulnerability)

1.630
closed-fixed
nobody
None
5
2013-06-06
2013-06-03
vilya
No

Hi all,

changed

/etc/webmin/miniserv.conf

as follows:

no_sslcompression=1

but

openssl s_client -connect localhost:10000 | grep -i zlib

will still show that zlib comression is being used (nessus will complain as well):

Compression: zlib compression
Expansion: zlib compression
    Compression: 1 (zlib compression)

Discussion

  • Jamie Cameron
    Jamie Cameron
    2013-06-04

    Do you know which openssl library version you have installed there? Versions below 1.0.1 don't support the option to disable compression.

     
  • vilya
    vilya
    2013-06-04

    Jamie,

    thanks for the quick reply. I should have provided the information in the inital post to save us one roundtrip, anway here are the version numbers:

    openssl version

    OpenSSL 1.0.1 14 Mar 2012

    lsb_release -a

    No LSB modules are available.
    Distributor ID: Ubuntu
    Description: Ubuntu 12.04.2 LTS
    Release: 12.04
    Codename: precise

    It's actually a completely patched ubuntu 12.04 which is a reason I was not checking versions before.

     
  • Jamie Cameron
    Jamie Cameron
    2013-06-04

    Could you run the following command on your system, and let me know what it outputs?

    perl -e 'use Net::SSLeay; print &Net::SSLeay::OP_NO_COMPRESSION,"\n"'

    This will indicate if the Perl SSL library knows about the NO_COMPRESSION option or not.

     
  • vilya
    vilya
    2013-06-05

    Hi,

    so finally I'm learning some perl :)

    here's the output:

    perl -e 'use Net::SSLeay; print &Net::SSLeay::OP_NO_COMPRESSION,"\n"'
    131072
    

    if it helps I can set up a machine with SSH access (although this may take a couple of days)

     
  • Jamie Cameron
    Jamie Cameron
    2013-06-05

    Yes, a machine with SSH access using the same openssl / OS version as you are seeing this problem on would be really useful.

     
  • Jamie Cameron
    Jamie Cameron
    2013-06-05

    Also, I'd be interested to know what ssl_ lines your /etc/webmin/miniserv.conf file contains, so I can see what SSL options are in force.

     
  • Jamie Cameron
    Jamie Cameron
    2013-06-05

    • status: open --> closed-fixed
     
  • vilya
    vilya
    2013-06-06

    Hi Jamie,

    thanks for the timely support!

    I can confirm that patched miniserv.pl is now disabling compression.

    Do you have already a rough estimation when next webmin version will be released?

     
  • Jamie Cameron
    Jamie Cameron
    2013-06-06

    It will likely be a few weeks until the next major release.