[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: disable TLS compression with openssl?

To: openldap-technical@openldap.org
Subject: Re: disable TLS compression with openssl?
From: Dieter Klünter <dieter@dkluenter.de>
Date: Mon, 7 Dec 2015 10:46:54 +0100
In-reply-to: <20151207032730.GK3408@bender.unx.cpp.edu>
Organization: AVCI
References: <20151207032730.GK3408@bender.unx.cpp.edu>

Am Sun, 06 Dec 2015 19:27:31 -0800
schrieb "Paul B. Henson" <henson@acm.org>:

> We're currently running through all of our SSL/TLS using apps to
> disable SSLv3 and update the accepted ciphers list, as well as other
> current best practices. I don't see any way to disable SSL
> compression in openldap? Does SSL compression with ldap traffic not
> lead to the same issue as it does in web traffic?

You probabely should read
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
https://www.openssl.org/docs/manmaster/ssl/SSL_COMP_add_compression_method.htm

> Also, are there any plans to support ECDHE ciphers in openldap? I see
> there's an ITS ticket about it, it's rather old and the last update
> questioned whether those ciphers should be avoided due to potential
> NSA meddling in their design.

At LDAPcon 2015 it was announced to be included in OpenLDAP-2.5

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: disable TLS compression with openssl?
  - From: Howard Chu <hyc@symas.com>

References:
- disable TLS compression with openssl?
  - From: "Paul B. Henson" <henson@acm.org>

Prev by Date: Re: disable TLS compression with openssl?
Next by Date: Re: Samba auth on replicated LDAP: no admin user
Index(es):
- Chronological
- Thread