Paul B. Henson wrote:
From: Howard Chu Sent: Monday, December 07, 2015 6:26 AM
OpenLDAP does not enable compression so there is nothing to disable.
Hmm, that's not what I am seeing. Using the latest sslscan:
$ sslscan ldap.cpp.edu:636 Version: 1.10.6 OpenSSL 1.0.1p 9 Jul 2015
Testing SSL server ldap.cpp.edu on port 636
TLS renegotiation: Secure session renegotiation supported
TLS Compression: Compression enabled (CRIME)
Interesting. Mine shows disabled, but apparently the default build of OpenSSL on Ubuntu simply doesn't support compression. At any rate, it's of no real concern.
[...]
shows that compression is enabled. As does Wireshark when sniffing the packets over the wire. This is with openssl, perhaps gnutls behaves differently?
The CRIME attack does not work against LDAP or other stateful protocols where credentials are only sent once.
Great, thanks much for clarifying that for me.