SPDY vulnerability misleading

[jeffdyke]

Not really a huge deal, but the output states my site has a spdy version <4, but that's simply b/c the protocols are not advertised b/c npn is disabled in favor of alpn. Even if it were using npn the code is not checking the version just that the line exists.

While i'm not going to point at my site here, check the facebook.com and then go here: https://spdycheck.org/#facebook.com

[QinLongFei]

I still meet this error. a2sv only search "Protocols advertised by server" in the return by "openssl s_client -connect ip:port -nextprotoneg NULL ".

If the server don't support NPN extension, a2sv will give "Includes SPDY version <4" and consider the server is vulneralbe CRIME.

It's very stupid and I think the better way is check whether the server is supporting SSL compress.