On Thu, 2016-03-24 at 22:40 +0100, Ondřej Surý wrote: > On Thu, Mar 24, 2016, at 21:52, Adam D. Barratt wrote: > > $ zgrep NO_COMPRESSION > > /srv/release.debian.org/www/proposed-updates/jessie_diffs/cyrus-imapd-2.4_2.4.17+nocaldav-0~deb8u1.debdiff.gz > > > > + off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ > > ++ off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ > > ++ off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ > > ++ off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ > > ++ off |= SSL_OP_NO_COMPRESSION; /* Disable TLS compression */ > > This should not be strictly needed as 2.4.18 has new option > 'tls_compression' that's disabled by default, but I have restored that > part of the patch anyway.
Ah, I see. Thanks. > (Also I am not that sure that BEAST/CRIME/BREACH attacks apply to IMAP > as well, but better be safe then sorry...) I have to admit that I'm not really sure either. I've seen varying arguments around the applicability of most of the TLS vulnerabilities to non-HTTP protocols. Regards, Adam
