[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: disable TLS compression with openssl?

To: "Paul B. Henson" <henson@acm.org>
Subject: Re: disable TLS compression with openssl?
From: Emmanuel Dreyfus <manu@netbsd.org>
Date: Mon, 7 Dec 2015 09:42:11 +0000
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <20151207032730.GK3408@bender.unx.cpp.edu>
References: <20151207032730.GK3408@bender.unx.cpp.edu>
User-agent: Mutt/1.5.24 (2015-08-30)

On Sun, Dec 06, 2015 at 07:27:31PM -0800, Paul B. Henson wrote:
> We're currently running through all of our SSL/TLS using apps to disable
> SSLv3 and update the accepted ciphers list, as well as other current
> best practices. I don't see any way to disable SSL compression in
> openldap? Does SSL compression with ldap traffic not lead to the same
> issue as it does in web traffic?

Looking at client/server exchanges with ssldump, I can see that 
compression is not enabled:
1 1  0^@0046 (0^@0046)  C>S  Handshake
      ClientHello
        Version 3.3 
        cipher suites
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
(...)
        TLS_EMPTY_RENEGOTIATION_INFO_SCSV
        compression methods
                  NULL

> Also, are there any plans to support ECDHE ciphers in openldap? 

It is in the trunk version. I made a patch to backport it to 2.4.40:
http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/databases/openldap/patches/patch-its7595?rev=1.1

-- 
Emmanuel Dreyfus
manu@netbsd.org

References:
- disable TLS compression with openssl?
  - From: "Paul B. Henson" <henson@acm.org>

Prev by Date: Re: Samba auth on replicated LDAP: no admin user
Next by Date: Re: disable TLS compression with openssl?
Index(es):
- Chronological
- Thread