Hi all,
Nessus says my Webmin 1.580 is vulnerable of CRIME attack because of TLS/SSL compression is enabled. How do I remedy it? I cannot see any options for this in configuration menu.
From Google looks like I can use SSLCompression off in httpd.conf?


This is the Nessus scan result:
TLS CRIME Vulnerability

Synopsis :

The remote service has a configuration that may make it vulnerable to
the CRIME attack.

Description :

The remote service has one of two configurations that are known to be
required for the CRIME attack:

- SSL / TLS compression is enabled.

- TLS advertises the SPDY protocol earlier than version 4.

Note that Nessus did not attempt to launch the CRIME attack against the remote service.

See also :

http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
http://www.nessus.org/u?a1e45597

Solution :

Disable compression and / or the SPDY service.

Plugin Output :

The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :

- SSL / TLS compression is enabled.

CVE :
CVE-2012-4929
CVE-2012-4930

BID :
BID 55704
BID 55707

Other References :
OSVDB:85926
OSVDB:85927

Nessus Plugin ID : 62565


Thank you.
--
To dream and to write ^^
http://mars.arinet.org