Re: patch: mitigate CRIME attack

2013-05-14 Thread Scott Kitterman
Andreas Schiermeier wrote: >I'm confident our auditors will understand and accept the >argumentation. >The finding comes from an automated scan. > >It's good to know 2.11 will include the ability to disable compression. > >Maybe I'll inform Ubuntu package maintainers about my patch, in case >th

Re: patch: mitigate CRIME attack

2013-05-14 Thread Andreas Schiermeier
I'm confident our auditors will understand and accept the argumentation. The finding comes from an automated scan. It's good to know 2.11 will include the ability to disable compression. Maybe I'll inform Ubuntu package maintainers about my patch, in case there is rising demand for jumping throug

Re: patch: mitigate CRIME attack

2013-05-14 Thread Viktor Dukhovni
On Tue, May 14, 2013 at 02:03:44PM +0200, Andreas Schiermeier wrote: > Thank you Wietse and Viktor for your clarifications. > > I admit, there's absolutely no need for the patch past Postfix 2.8 with > OpenSSL 1.x. The SSL_OP_NO_COMPRESSION control is not part of SSL_OP_ALL (bug-interop work-aro

Re: patch: mitigate CRIME attack

2013-05-14 Thread Andreas Schiermeier
Thank you Wietse and Viktor for your clarifications. I admit, there's absolutely no need for the patch past Postfix 2.8 with OpenSSL 1.x. Andreas

Re: patch: mitigate CRIME attack

2013-05-14 Thread Peter
On 05/14/2013 05:05 PM, Viktor Dukhovni wrote: Don't listen to brainless auditors wielding checklists. Unfortunately you have to. They may be wrong but you're not going to pass PCI compliance scans unless you jump through their stupid hoops. I recommend that you don't put your MTA on the sa

Re: patch: mitigate CRIME attack

2013-05-13 Thread Viktor Dukhovni
On Mon, May 13, 2013 at 05:53:09PM +0200, Andreas Schiermeier wrote: > our latest external PCI scan found SSL-enabled Postfix SMTP servers > (2.7.0 running on Ubuntu 10.04 LTS) vulnerable to SSL CRIME attacks > . Don't listen to brainle

Re: patch: mitigate CRIME attack

2013-05-13 Thread Wietse Venema
Andreas Schiermeier: > Hi, > > our latest external PCI scan found SSL-enabled Postfix SMTP servers > (2.7.0 running on Ubuntu 10.04 LTS) vulnerable to SSL CRIME attacks > . > > I've ported Apache httpd patch >

patch: mitigate CRIME attack

2013-05-13 Thread Andreas Schiermeier
Hi, our latest external PCI scan found SSL-enabled Postfix SMTP servers (2.7.0 running on Ubuntu 10.04 LTS) vulnerable to SSL CRIME attacks . I've ported Apache httpd patch to P