Dieter Klünter wrote:
Am Sun, 06 Dec 2015 19:27:31 -0800
schrieb "Paul B. Henson" <henson(a)acm.org>:
> We're currently running through all of our SSL/TLS using apps to
> disable SSLv3 and update the accepted ciphers list, as well as other
> current best practices. I don't see any way to disable SSL
> compression in openldap?
OpenLDAP does not enable compression so there is nothing to disable.
> Does SSL compression with ldap traffic not
> lead to the same issue as it does in web traffic?
No, it does not have the same issue. The CRIME attack works because http is a
stateless protocol and so clients repeatedly send their
authentication/authorization credentials in cookies attached to every request.
In particular, the exact format of each request is known and it's trivial to
create a request with plaintext chosen to guess at the credential portion.
The CRIME attack does not work against LDAP or other stateful protocols where
credentials are only sent once.
You probabely should read
> Also, are there any plans to support ECDHE ciphers in openldap? I see
> there's an ITS ticket about it, it's rather old and the last update
> questioned whether those ciphers should be avoided due to potential
> NSA meddling in their design.
At LDAPcon 2015 it was announced to be included in OpenLDAP-2.5
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/