Not a fix, but to shut up the PCI scan, firewall off Webmin and Usermin and limit it (by IP address) to access by just the people who need to see it.  If its not answering the PCI scan, they can't very well worry about it.


Sometimes the easy solution is to be invisible.






From: Fajar Priyanto []
Sent: Friday, January 04, 2013 11:24 PM
To: Webmin users list
Subject: Re: [webmin-l] Nessus says I'm vulnerable (SSL/TLS compression enabled)


It says in the mean time it's good to disable SSL compression in the webserver.

How can I do that with webmin webserver?


On Sat, Jan 5, 2013 at 2:49 PM, Fajar Priyanto <> wrote:

Hi Jamie,

Sorry took some time for me to upgrade it. It's on 1.610 now, also I've set it to  "Use only PCI-compliant ciphers". But same result from the Nessus scan.

No workaround from Google so far :(


On Fri, Dec 21, 2012 at 12:09 PM, Jamie Cameron <> wrote:

You might want to try upgrading to Webmin 1.610. Also, at Webmin -> Webmin Configuration -> SSL Encryption, try selecting "Use only PCI-compliant ciphers"

  - Jamie

On 20/Dec/2012 17:27 Fajar Priyanto <> wrote ..

Hi all,

Nessus says my Webmin 1.580 is vulnerable of CRIME attack because of TLS/SSL compression is enabled. How do I remedy it? I cannot see any options for this in configuration menu.

From Google looks like I can use SSLCompression off in httpd.conf?



This is the Nessus scan result:

TLS CRIME Vulnerability

Synopsis :

The remote service has a configuration that may make it vulnerable to
the CRIME attack.

Description :

The remote service has one of two configurations that are known to be
required for the CRIME attack:

- SSL / TLS compression is enabled.

- TLS advertises the SPDY protocol earlier than version 4.

Note that Nessus did not attempt to launch the CRIME attack against the remote service.

See also :

Solution :

Disable compression and / or the SPDY service.

Plugin Output :

The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :

- SSL / TLS compression is enabled.


BID 55704
BID 55707

Other References :

Nessus Plugin ID : 62565


Thank you.

To dream and to write ^^



LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
Forwarded by the Webmin mailing list at
To remove yourself from this list, go to


To dream and to write ^^


To dream and to write ^^