[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: disable TLS compression with openssl?

To: "'Howard Chu'" <hyc@symas.com>, <openldap-technical@openldap.org>
Subject: RE: disable TLS compression with openssl?
From: "Paul B. Henson" <henson@acm.org>
Date: Tue, 08 Dec 2015 18:28:44 -0800
Content-language: en-us
In-reply-to: <56659700.8050903@symas.com>
References: <20151207032730.GK3408@bender.unx.cpp.edu> <20151207104654.2a29226f@pink.avci.de> <56659700.8050903@symas.com>
Thread-index: AQIyG6/Mj0KgE/vxjp5oAbCTYBKKgAFhVgWYAxrtv1yd3DdAQA==

> From: Howard Chu
> Sent: Monday, December 07, 2015 6:26 AM
> 
> OpenLDAP does not enable compression so there is nothing to disable.

Hmm, that's not what I am seeing. Using the latest sslscan:

-----------------------
$ sslscan ldap.cpp.edu:636
Version: 1.10.6
OpenSSL 1.0.1p 9 Jul 2015

Testing SSL server ldap.cpp.edu on port 636

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression enabled (CRIME)
[...]
---------------------

shows that compression is enabled. As does Wireshark when sniffing the
packets over the wire. This is with openssl, perhaps gnutls behaves
differently?

> The CRIME attack does not work against LDAP or other stateful protocols
> where credentials are only sent once.

Great, thanks much for clarifying that for me.

Follow-Ups:
- Re: disable TLS compression with openssl?
  - From: Howard Chu <hyc@symas.com>

References:
- disable TLS compression with openssl?
  - From: "Paul B. Henson" <henson@acm.org>
- Re: disable TLS compression with openssl?
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: disable TLS compression with openssl?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Binding through a chaining. It's possible?
Next by Date: Re: disable TLS compression with openssl?
Index(es):
- Chronological
- Thread