Red Hat Bugzilla – Bug 1030840
pound: TLS CRIME attack
Last modified: 2015-07-05 15:43:29 EDT
Pound, a reverse proxy, load balancer and HTTPS front-end for Web servers, is found to have the TLS compression enabled, which makes possible a practical attack CRIME, and there is no option to disable the TLS compression.
Some explanations and a possible patch is given here:
Created Pound tracking bugs for this issue:
Affects: fedora-all [bug 1030843]
Affects: epel-all [bug 1030844]
This should not be an issue in Fedora or EPEL any more. OpenSSL packages in Fedora and Red Hat Enterprise Linux 5 and 6 used to default to having compression enabled by default, but that was changed and compression it not enabled by default any more:
There is an option to enable compression by setting OPENSSL_DEFAULT_ZLIB environment variable.
If using older openssl packages, compression can be disabled using OPENSSL_NO_DEFAULT_ZLIB environment variable - see bug 857051 comment 5 for further details.
This was solved 10 months ago. Closing.