#4249 no_sslcompression seems to have no effect (trying to mitigate TLS CRIME Vulnerability)


Hi all,



as follows:



openssl s_client -connect localhost:10000 | grep -i zlib

will still show that zlib comression is being used (nessus will complain as well):

Compression: zlib compression
Expansion: zlib compression
    Compression: 1 (zlib compression)


  • Jamie Cameron

    Jamie Cameron - 2013-06-04

    Do you know which openssl library version you have installed there? Versions below 1.0.1 don't support the option to disable compression.

  • vilya

    vilya - 2013-06-04


    thanks for the quick reply. I should have provided the information in the inital post to save us one roundtrip, anway here are the version numbers:

    openssl version

    OpenSSL 1.0.1 14 Mar 2012

    lsb_release -a

    No LSB modules are available.
    Distributor ID: Ubuntu
    Description: Ubuntu 12.04.2 LTS
    Release: 12.04
    Codename: precise

    It's actually a completely patched ubuntu 12.04 which is a reason I was not checking versions before.

  • Jamie Cameron

    Jamie Cameron - 2013-06-04

    Could you run the following command on your system, and let me know what it outputs?

    perl -e 'use Net::SSLeay; print &Net::SSLeay::OP_NO_COMPRESSION,"\n"'

    This will indicate if the Perl SSL library knows about the NO_COMPRESSION option or not.

  • vilya

    vilya - 2013-06-05


    so finally I'm learning some perl :)

    here's the output:

    perl -e 'use Net::SSLeay; print &Net::SSLeay::OP_NO_COMPRESSION,"\n"'

    if it helps I can set up a machine with SSH access (although this may take a couple of days)

  • Jamie Cameron

    Jamie Cameron - 2013-06-05

    Yes, a machine with SSH access using the same openssl / OS version as you are seeing this problem on would be really useful.

  • Jamie Cameron

    Jamie Cameron - 2013-06-05

    Also, I'd be interested to know what ssl_ lines your /etc/webmin/miniserv.conf file contains, so I can see what SSL options are in force.

  • Jamie Cameron

    Jamie Cameron - 2013-06-05
    • status: open --> closed-fixed
  • vilya

    vilya - 2013-06-06

    Hi Jamie,

    thanks for the timely support!

    I can confirm that patched miniserv.pl is now disabling compression.

    Do you have already a rough estimation when next webmin version will be released?

  • Jamie Cameron

    Jamie Cameron - 2013-06-06

    It will likely be a few weeks until the next major release.


Log in to post a comment.