Hi,
our latest external PCI scan found SSL-enabled Postfix SMTP servers
(2.7.0 running on Ubuntu 10.04 LTS) vulnerable to SSL CRIME attacks
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929>.
I've ported Apache httpd patch
<https://issues.apache.org/bugzilla/show_bug.cgi?id=53219> to Postfix
2.10. Please can you have a look at it?
Kind regards,
Andreas
--- postfix-2.10.0/src/tls/tls_server.c 2012-05-17 19:15:13.000000000 +0200
+++ postfix-2.10.0-nosslcomp/src/tls/tls_server.c 2013-05-13 17:09:53.591194385 +0200
@@ -393,6 +393,16 @@
SSL_CTX_set_verify_depth(server_ctx, props->verifydepth + 1);
/*
+ * Mitigate CRIME attacks (CVE-2012-4929)
+ */
+#ifdef SSL_OP_NO_COMPRESSION
+ /* OpenSSL >= 1.0 only */
+ SSL_CTX_set_options(server_ctx, SSL_OP_NO_COMPRESSION);
+#elif OPENSSL_VERSION_NUMBER >= 0x00908000L
+ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
+#endif
+
+ /*
* Protocol work-arounds, OpenSSL version dependent.
*/
off |= tls_bug_bits();
