Dieter Klünter wrote:
Am Sun, 06 Dec 2015 19:27:31 -0800 schrieb "Paul B. Henson" henson@acm.org:
We're currently running through all of our SSL/TLS using apps to disable SSLv3 and update the accepted ciphers list, as well as other current best practices. I don't see any way to disable SSL compression in openldap?
OpenLDAP does not enable compression so there is nothing to disable.
Does SSL compression with ldap traffic not lead to the same issue as it does in web traffic?
No, it does not have the same issue. The CRIME attack works because http is a stateless protocol and so clients repeatedly send their authentication/authorization credentials in cookies attached to every request. In particular, the exact format of each request is known and it's trivial to create a request with plaintext chosen to guess at the credential portion.
The CRIME attack does not work against LDAP or other stateful protocols where credentials are only sent once.
You probabely should read https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information... https://www.openssl.org/docs/manmaster/ssl/SSL_COMP_add_compression_method.h...
Also, are there any plans to support ECDHE ciphers in openldap? I see there's an ITS ticket about it, it's rather old and the last update questioned whether those ciphers should be avoided due to potential NSA meddling in their design.
At LDAPcon 2015 it was announced to be included in OpenLDAP-2.5
-Dieter