[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: disable TLS compression with openssl?

> From: Howard Chu
> Sent: Monday, December 07, 2015 6:26 AM
> OpenLDAP does not enable compression so there is nothing to disable.

Hmm, that's not what I am seeing. Using the latest sslscan:

$ sslscan ldap.cpp.edu:636
Version: 1.10.6
OpenSSL 1.0.1p 9 Jul 2015

Testing SSL server ldap.cpp.edu on port 636

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression enabled (CRIME)

shows that compression is enabled. As does Wireshark when sniffing the
packets over the wire. This is with openssl, perhaps gnutls behaves

> The CRIME attack does not work against LDAP or other stateful protocols
> where credentials are only sent once.

Great, thanks much for clarifying that for me.