Hi Jamie,
Sorry took some time for me to upgrade it. It's on 1.610 now, also I've set it to  "Use only PCI-compliant ciphers". But same result from the Nessus scan.
No workaround from Google so far :(


On Fri, Dec 21, 2012 at 12:09 PM, Jamie Cameron <jcameron@webmin.com> wrote:

You might want to try upgrading to Webmin 1.610. Also, at Webmin -> Webmin Configuration -> SSL Encryption, try selecting "Use only PCI-compliant ciphers"

  - Jamie

On 20/Dec/2012 17:27 Fajar Priyanto <fajarpri@arinet.org> wrote ..

Hi all,
Nessus says my Webmin 1.580 is vulnerable of CRIME attack because of TLS/SSL compression is enabled. How do I remedy it? I cannot see any options for this in configuration menu.
From Google looks like I can use SSLCompression off in httpd.conf?


This is the Nessus scan result:
TLS CRIME Vulnerability

Synopsis :

The remote service has a configuration that may make it vulnerable to
the CRIME attack.

Description :

The remote service has one of two configurations that are known to be
required for the CRIME attack:

- SSL / TLS compression is enabled.

- TLS advertises the SPDY protocol earlier than version 4.

Note that Nessus did not attempt to launch the CRIME attack against the remote service.

See also :

http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
http://www.nessus.org/u?a1e45597

Solution :

Disable compression and / or the SPDY service.

Plugin Output :

The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :

- SSL / TLS compression is enabled.

CVE :
CVE-2012-4929
CVE-2012-4930

BID :
BID 55704
BID 55707

Other References :
OSVDB:85926
OSVDB:85927

Nessus Plugin ID : 62565


Thank you.
--
To dream and to write ^^
http://mars.arinet.org


------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
-
Forwarded by the Webmin mailing list at webadmin-list@lists.sourceforge.net
To remove yourself from this list, go to
http://lists.sourceforge.net/lists/listinfo/webadmin-list




--
To dream and to write ^^
http://mars.arinet.org