On 15/02/15 16:00, Arne Schwabe wrote:
> On 15.02.2015 15:24, Steffan Karger wrote:
>> As reported in trac #502, SSL compression can cause problems in some corner
>> cases. OpenVPN does not need SSL compression, since the control channel is
>> low bandwidth. This does not influence the data channel compressen (i.e.
>> --comp or --comp-lzo).
>>
>> Even though this has not yet been relevant for OpenVPN (since an attacker
>> can not easily control contents of control channel messages), SSL
>> compression has been used in the CRIME and BREACH attacks on TLS. TLS 1.3
>> will probably even remove support for compression all together, for
>> exactly this reason.
>>
>> Since we don't need it, and SSL compression causes issues, let's just
>> disable it in OpenSSL builds. PolarSSL has no run-time flag to disable
>> compression, but is by default compiled without compression.
>>
> ACK from me. Sounds sensible to me. If do not support 0.9.8 anymore (in
> -master perhaps?) I would like this to be commited without ifdef.
We've agreed to support RHEL5 until it goes EOL, which is March 31,
2017. [1] As RHEL5 is on 0.9.8 we need to support it. RHEL6 is on
1.0.1, so we'll have something to look forward too ;-)
[1] There is also an additional "extended life cycle" which RHEL
customers may opt-in for (for an additional fee), which I don't
think we should relate too.
<https://access.redhat.com/support/policy/updates/errata>
--
kind regards,
David Sommerseth
