[asterisk-bugs] [JIRA] (ASTERISK-24972) Transport Layer Security (TLS) Protocol CRIME Vulnerability
Alex A. Welzl (JIRA)
noreply at issues.asterisk.org
Fri Apr 17 05:06:32 CDT 2015
Alex A. Welzl created ASTERISK-24972:
----------------------------------------
Summary: Transport Layer Security (TLS) Protocol CRIME Vulnerability
Key: ASTERISK-24972
URL: https://issues.asterisk.org/jira/browse/ASTERISK-24972
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: Resources/res_http_websocket
Affects Versions: 13.2.0
Reporter: Alex A. Welzl
Nessus and Acunetix discovered following Medium vulnerability, please investigate if SSL / TLS compression can be disabled.
Description
The remote service has one of two configurations that are known to be required for the CRIME attack :
SSL / TLS compression is enabled.
TLS advertises the SPDY protocol earlier than version 4.
Note that Nessus did not attempt to launch the CRIME attack against the remote service.
Solution
Disable compression and / or the SPDY service.
See Also
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
https://discussions.nessus.org/thread/5546
http://www.nessus.org/u?8ec18eb5
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
Output
The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :
- SSL / TLS compression is enabled.
Host: X.X.X.130
Port: 8089 / tcp / www
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list