On Sun, Dec 06, 2015 at 07:27:31PM -0800, Paul B. Henson wrote:
We're currently running through all of our SSL/TLS using apps to disable SSLv3 and update the accepted ciphers list, as well as other current best practices. I don't see any way to disable SSL compression in openldap? Does SSL compression with ldap traffic not lead to the same issue as it does in web traffic?
Looking at client/server exchanges with ssldump, I can see that compression is not enabled: 1 1 0^@0046 (0^@0046) C>S Handshake ClientHello Version 3.3 cipher suites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (...) TLS_EMPTY_RENEGOTIATION_INFO_SCSV compression methods NULL
Also, are there any plans to support ECDHE ciphers in openldap?
It is in the trunk version. I made a patch to backport it to 2.4.40: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/databases/openldap/patches/patch-...