Re: What about BREACH (CVE-2013-3587)?

2020-02-04 Thread Frank Liu
This is documented. Quote from http://nginx.org/en/docs/http/ngx_http_gzip_module.html *When using the SSL/TLS protocol, compressed responses may be subject to BREACH attacks. * On Tue, Feb 4, 2020 at 1:35 PM Rainer Duffner wrote: > > > Am 04.02.2020 um 21

Re: What about BREACH (CVE-2013-3587)?

2020-02-04 Thread Rainer Duffner
> Am 04.02.2020 um 21:38 schrieb J.R. : > > I think you are confusing TLS compression with HTTP compression... Probably. I read that later somewhere else. I just wonder why it’s lumped-in in testssl.sh. ___ nginx mailing list nginx@nginx.org http

Re: message 3 / Robert Paprocki

2020-02-04 Thread Ian Morris Nieves
Hi Robert, Thanks for your input on this. I sincerely appreciate it. At the moment I am trying to get the most out of DNS (on Docker)… as a way to discover services (individual containers and replicas of containers). If I can solve the issue without having to introduce a new tool or container,

Re: What about BREACH (CVE-2013-3587)?

2020-02-04 Thread J.R.
> testssl.ch still laments about BREACH, when tested against a recent > nginx 1.16. > > Qualys ssllabs doesn't mention it at all. > > Is it fixed? > > Can you safely enable gzip on ssl-vhosts? I think you are confusing TLS compression with HTTP compression... __

Re: error code 494

2020-02-04 Thread Frank Liu
Thanks Maxim for the quick fix! Based on https://tools.ietf.org/html/rfc6585#section-5 , shall we by default return 431 instead of 400? On Mon, Feb 3, 2020 at 8:47 AM Maxim Dounin wrote: > Hello! > > On Sun, Feb 02, 2020 at 11:09:14PM -0800, Frank Liu wrote: > > > When I send a request with too

Re: Using Yubikey/PKCS11 for Upstream Client Certificates

2020-02-04 Thread erik
Specifically, I'd like to know if the proxy_ssl_certificate and proxy_ssl_certificate_key directives can support RFC-7512 PKCS#11 URIs, or whether they're hardwired to be just local file paths. With my private key in hardware, I'm looking for the ability to point nginx to something like: location

What about BREACH (CVE-2013-3587)?

2020-02-04 Thread rainer
Hi, testssl.ch still laments about BREACH, when tested against a recent nginx 1.16. Qualys ssllabs doesn't mention it at all. Is it fixed? Can you safely enable gzip on ssl-vhosts? Best Regards Rainer ___ nginx mailing list nginx@nginx.org ht

Using Yubikey/PKCS11 for Upstream Client Certificates

2020-02-04 Thread erik
Hi there, I'm building a reverse proxy that needs to use TLS client certificates for authentication to its proxy_pass location. The documentation at https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ is pretty clear in how to point Nginx to the signed certi