[Date Prev][Date Next]
Re: disable TLS compression with openssl?
Paul B. Henson wrote:
From: Howard Chu
Sent: Monday, December 07, 2015 6:26 AM
OpenLDAP does not enable compression so there is nothing to disable.
Hmm, that's not what I am seeing. Using the latest sslscan:
$ sslscan ldap.cpp.edu:636
OpenSSL 1.0.1p 9 Jul 2015
Testing SSL server ldap.cpp.edu on port 636
Secure session renegotiation supported
Compression enabled (CRIME)
Interesting. Mine shows disabled, but apparently the default build of OpenSSL
on Ubuntu simply doesn't support compression. At any rate, it's of no real
shows that compression is enabled. As does Wireshark when sniffing the
packets over the wire. This is with openssl, perhaps gnutls behaves
The CRIME attack does not work against LDAP or other stateful protocols
where credentials are only sent once.
Great, thanks much for clarifying that for me.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/