[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: disable TLS compression with openssl?

Paul B. Henson wrote:
From: Howard Chu
Sent: Monday, December 07, 2015 6:26 AM

OpenLDAP does not enable compression so there is nothing to disable.

Hmm, that's not what I am seeing. Using the latest sslscan:

$ sslscan ldap.cpp.edu:636
Version: 1.10.6
OpenSSL 1.0.1p 9 Jul 2015

Testing SSL server ldap.cpp.edu on port 636

   TLS renegotiation:
Secure session renegotiation supported

   TLS Compression:
Compression enabled (CRIME)

Interesting. Mine shows disabled, but apparently the default build of OpenSSL on Ubuntu simply doesn't support compression. At any rate, it's of no real concern.


shows that compression is enabled. As does Wireshark when sniffing the
packets over the wire. This is with openssl, perhaps gnutls behaves

The CRIME attack does not work against LDAP or other stateful protocols
where credentials are only sent once.

Great, thanks much for clarifying that for me.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/