This repository has been archived by the owner on Dec 12, 2020. It is now read-only.
CRIME false positive #46
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi, I was testing my server and a2sv says that it is vulnerable to CRIME ("CRIME(SPDY) ... Vulnerable!")
Checking at the code I see this check is done.
As far as I can see CRIME vulnerability appears when TLS compression is used. In my case running:
openssl s_client -connect <IP>:<port>gives "Compression: NONE", so it seems not to be vulnerable to CRIME.Also checked with these resources: 1 and testssl.sh
Because of that it seems to be a bug, but I want to confirm with you.
The text was updated successfully, but these errors were encountered: