Am Sun, 06 Dec 2015 19:27:31 -0800 schrieb "Paul B. Henson" henson@acm.org:
We're currently running through all of our SSL/TLS using apps to disable SSLv3 and update the accepted ciphers list, as well as other current best practices. I don't see any way to disable SSL compression in openldap? Does SSL compression with ldap traffic not lead to the same issue as it does in web traffic?
You probabely should read https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information... https://www.openssl.org/docs/manmaster/ssl/SSL_COMP_add_compression_method.h...
Also, are there any plans to support ECDHE ciphers in openldap? I see there's an ITS ticket about it, it's rather old and the last update questioned whether those ciphers should be avoided due to potential NSA meddling in their design.
At LDAPcon 2015 it was announced to be included in OpenLDAP-2.5
-Dieter