Re: disable TLS compression with openssl?

[Howard Chu <hyc@symas.com>]

Paul B. Henson wrote:
> > From: Howard Chu
> > Sent: Monday, December 07, 2015 6:26 AM
> >
> > OpenLDAP does not enable compression so there is nothing to disable.
>
> Hmm, that's not what I am seeing. Using the latest sslscan:
>
> -----------------------
> $ sslscan ldap.cpp.edu:636
> Version: 1.10.6
> OpenSSL 1.0.1p 9 Jul 2015
>
> Testing SSL server ldap.cpp.edu on port 636
>
>    TLS renegotiation:
> Secure session renegotiation supported
>
>    TLS Compression:
> Compression enabled (CRIME)

Interesting. Mine shows disabled, but apparently the default build of OpenSSL 
on Ubuntu simply doesn't support compression. At any rate, it's of no real 
concern.

> [...]
> ---------------------
>
> shows that compression is enabled. As does Wireshark when sniffing the
> packets over the wire. This is with openssl, perhaps gnutls behaves
> differently?
>
> > The CRIME attack does not work against LDAP or other stateful protocols
> > where credentials are only sent once.
>
> Great, thanks much for clarifying that for me.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/