no_sslcompression seems to have no effect (trying to mitigate TLS CRIME...

A web-based interface for system administration of UNIX

Brought to you by: iliaross, jcameron

#4249 no_sslcompression seems to have no effect (trying to mitigate TLS CRIME Vulnerability)

Milestone: 1.630

Status: closed-fixed

Owner: nobody

Labels: None

Priority: 5

Updated: 2013-06-06

Created: 2013-06-03

Creator: vilya

Private: No

Hi all,

changed

/etc/webmin/miniserv.conf

as follows:

no_sslcompression=1

but

openssl s_client -connect localhost:10000 | grep -i zlib

will still show that zlib comression is being used (nessus will complain as well):

Compression: zlib compression
Expansion: zlib compression
    Compression: 1 (zlib compression)

Discussion

Jamie Cameron - 2013-06-04

Do you know which openssl library version you have installed there? Versions below 1.0.1 don't support the option to disable compression.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

vilya - 2013-06-04

Jamie,

thanks for the quick reply. I should have provided the information in the inital post to save us one roundtrip, anway here are the version numbers:

openssl version

OpenSSL 1.0.1 14 Mar 2012

lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.2 LTS
Release: 12.04
Codename: precise

It's actually a completely patched ubuntu 12.04 which is a reason I was not checking versions before.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jamie Cameron - 2013-06-04

Could you run the following command on your system, and let me know what it outputs?

perl -e 'use Net::SSLeay; print &Net::SSLeay::OP_NO_COMPRESSION,"\n"'

This will indicate if the Perl SSL library knows about the NO_COMPRESSION option or not.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

vilya - 2013-06-05

Hi,

so finally I'm learning some perl :)

here's the output:

perl -e 'use Net::SSLeay; print &Net::SSLeay::OP_NO_COMPRESSION,"\n"' 131072

if it helps I can set up a machine with SSH access (although this may take a couple of days)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jamie Cameron - 2013-06-05

Yes, a machine with SSH access using the same openssl / OS version as you are seeing this problem on would be really useful.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jamie Cameron - 2013-06-05

Also, I'd be interested to know what ssl_ lines your /etc/webmin/miniserv.conf file contains, so I can see what SSL options are in force.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jamie Cameron - 2013-06-05

Actually, I found a bug that is breaking this setting! You can get a patch for it from https://github.com/webmin/webmin/commit/567b8817091c4ca93868ce40b7f7ba197957c18a , or wait for the next Webmin release.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jamie Cameron - 2013-06-05

status: open --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

vilya - 2013-06-06

Hi Jamie,

thanks for the timely support!

I can confirm that patched miniserv.pl is now disabling compression.

Do you have already a rough estimation when next webmin version will be released?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jamie Cameron - 2013-06-06

It will likely be a few weeks until the next major release.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.