Hi, I was testing my server and a2sv says that it is vulnerable to CRIME ("CRIME(SPDY) ... Vulnerable!")
Checking at the code I see this check is done.
As far as I can see CRIME vulnerability appears when TLS compression is used. In my case running: openssl s_client -connect <IP>:<port> gives "Compression: NONE", so it seems not to be vulnerable to CRIME.
Also checked with these resources: 1 and testssl.sh
Because of that it seems to be a bug, but I want to confirm with you.
Hi, I was testing my server and a2sv says that it is vulnerable to CRIME ("CRIME(SPDY) ... Vulnerable!") Checking at the code I see this check is done.
As far as I can see CRIME vulnerability appears when TLS compression is used. In my case running:
openssl s_client -connect <IP>:<port>
gives "Compression: NONE", so it seems not to be vulnerable to CRIME.Also checked with these resources: 1 and testssl.sh
Because of that it seems to be a bug, but I want to confirm with you.