[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: disable TLS compression with openssl?
On Sun, Dec 06, 2015 at 07:27:31PM -0800, Paul B. Henson wrote:
> We're currently running through all of our SSL/TLS using apps to disable
> SSLv3 and update the accepted ciphers list, as well as other current
> best practices. I don't see any way to disable SSL compression in
> openldap? Does SSL compression with ldap traffic not lead to the same
> issue as it does in web traffic?
Looking at client/server exchanges with ssldump, I can see that
compression is not enabled:
1 1 0^@0046 (0^@0046) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
(...)
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression methods
NULL
> Also, are there any plans to support ECDHE ciphers in openldap?
It is in the trunk version. I made a patch to backport it to 2.4.40:
http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/databases/openldap/patches/patch-its7595?rev=1.1
--
Emmanuel Dreyfus
manu@netbsd.org