We're currently running through all of our SSL/TLS using apps to disable SSLv3 and update the accepted ciphers list, as well as other current best practices. I don't see any way to disable SSL compression in openldap? Does SSL compression with ldap traffic not lead to the same issue as it does in web traffic?
Also, are there any plans to support ECDHE ciphers in openldap? I see there's an ITS ticket about it, it's rather old and the last update questioned whether those ciphers should be avoided due to potential NSA meddling in their design.
Thanks...
On Sun, Dec 06, 2015 at 07:27:31PM -0800, Paul B. Henson wrote:
We're currently running through all of our SSL/TLS using apps to disable SSLv3 and update the accepted ciphers list, as well as other current best practices. I don't see any way to disable SSL compression in openldap? Does SSL compression with ldap traffic not lead to the same issue as it does in web traffic?
Looking at client/server exchanges with ssldump, I can see that compression is not enabled: 1 1 0^@0046 (0^@0046) C>S Handshake ClientHello Version 3.3 cipher suites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (...) TLS_EMPTY_RENEGOTIATION_INFO_SCSV compression methods NULL
Also, are there any plans to support ECDHE ciphers in openldap?
It is in the trunk version. I made a patch to backport it to 2.4.40: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/databases/openldap/patches/patch-...
Am Sun, 06 Dec 2015 19:27:31 -0800 schrieb "Paul B. Henson" henson@acm.org:
We're currently running through all of our SSL/TLS using apps to disable SSLv3 and update the accepted ciphers list, as well as other current best practices. I don't see any way to disable SSL compression in openldap? Does SSL compression with ldap traffic not lead to the same issue as it does in web traffic?
You probabely should read https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information... https://www.openssl.org/docs/manmaster/ssl/SSL_COMP_add_compression_method.h...
Also, are there any plans to support ECDHE ciphers in openldap? I see there's an ITS ticket about it, it's rather old and the last update questioned whether those ciphers should be avoided due to potential NSA meddling in their design.
At LDAPcon 2015 it was announced to be included in OpenLDAP-2.5
-Dieter
Dieter Klünter wrote:
Am Sun, 06 Dec 2015 19:27:31 -0800 schrieb "Paul B. Henson" henson@acm.org:
We're currently running through all of our SSL/TLS using apps to disable SSLv3 and update the accepted ciphers list, as well as other current best practices. I don't see any way to disable SSL compression in openldap?
OpenLDAP does not enable compression so there is nothing to disable.
Does SSL compression with ldap traffic not lead to the same issue as it does in web traffic?
No, it does not have the same issue. The CRIME attack works because http is a stateless protocol and so clients repeatedly send their authentication/authorization credentials in cookies attached to every request. In particular, the exact format of each request is known and it's trivial to create a request with plaintext chosen to guess at the credential portion.
The CRIME attack does not work against LDAP or other stateful protocols where credentials are only sent once.
You probabely should read https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information... https://www.openssl.org/docs/manmaster/ssl/SSL_COMP_add_compression_method.h...
Also, are there any plans to support ECDHE ciphers in openldap? I see there's an ITS ticket about it, it's rather old and the last update questioned whether those ciphers should be avoided due to potential NSA meddling in their design.
At LDAPcon 2015 it was announced to be included in OpenLDAP-2.5
-Dieter
From: Howard Chu Sent: Monday, December 07, 2015 6:26 AM
OpenLDAP does not enable compression so there is nothing to disable.
Hmm, that's not what I am seeing. Using the latest sslscan:
----------------------- $ sslscan ldap.cpp.edu:636 Version: 1.10.6 OpenSSL 1.0.1p 9 Jul 2015
Testing SSL server ldap.cpp.edu on port 636
TLS renegotiation: Secure session renegotiation supported
TLS Compression: Compression enabled (CRIME) [...] ---------------------
shows that compression is enabled. As does Wireshark when sniffing the packets over the wire. This is with openssl, perhaps gnutls behaves differently?
The CRIME attack does not work against LDAP or other stateful protocols where credentials are only sent once.
Great, thanks much for clarifying that for me.
Paul B. Henson wrote:
From: Howard Chu Sent: Monday, December 07, 2015 6:26 AM
OpenLDAP does not enable compression so there is nothing to disable.
Hmm, that's not what I am seeing. Using the latest sslscan:
$ sslscan ldap.cpp.edu:636 Version: 1.10.6 OpenSSL 1.0.1p 9 Jul 2015
Testing SSL server ldap.cpp.edu on port 636
TLS renegotiation: Secure session renegotiation supported
TLS Compression: Compression enabled (CRIME)
Interesting. Mine shows disabled, but apparently the default build of OpenSSL on Ubuntu simply doesn't support compression. At any rate, it's of no real concern.
[...]
shows that compression is enabled. As does Wireshark when sniffing the packets over the wire. This is with openssl, perhaps gnutls behaves differently?
The CRIME attack does not work against LDAP or other stateful protocols where credentials are only sent once.
Great, thanks much for clarifying that for me.
openldap-technical@openldap.org
-
Dieter Klünter -
Emmanuel Dreyfus -
Howard Chu -
Paul B. Henson