William Brown wrote: > Just want to point out there are some security risks with ssf settings. > I have documented these here: > > https://fy.blackhats.net.au/blog/html/2016/11/23/the_minssf_trap.html Nice writeup. I always considered SSF values to be naive and somewhat overrated. People expect too much when looking at these numbers - especially regarding the "strength" of cryptographic algorithms which changes over time anyway with new cryptanalysis results coming up. Personally I always try to implement a TLS-is-must policy and prefer LDAPS (with correct protocol and ciphersuites configured) over LDAP/StartTLS to avoid this kind of pre-TLS leakage. Yes, I deliberately ignore "LDAPS is deprecated". ;-] Furthermore some LDAP server implementation (IIRC e.g. MS AD) refuse to accept SASL/GSSAPI bind requests sent over TLS-secured channel. Which is IMO also somewhat questionable. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature