logs archiveBotHelp.net / Freenode / #389 / 2015 / August / 4 / 1
gregwork
when enabled by the server does tls/ssl use compression by default ?
Crys
gregwork: you don't want to use TLS compression. It's a security risk.
gregwork: the CRIME attack is only possible with TLS compression enabled.
gregwork
yes i just want to know if it is a default
if we enable/require tls/ssl
in the server config
Crys
gregwork: I don't see SSL_ENABLE_DEFLATE in the source code of 398.
gregwork: The default setting of NSS is 'no TLS compression'. That probably means TLS compression is neither enabled nor supported.
gregwork
ok cool, thanks
Crys
gregwork: but I can't tell you for sure.
gregwork: it also depends on the client library. IIRC in order to have TLS compression the server must support it and the client must opt in.
gregwork
afiak, sssd / openssl
as the client
talking to the server
Crys
Do you know how to use wireshark? It has an excellent SSL traffic analyzer. You can easily check if the handshake has the compression bit set.
Does sssd use OpenSSL for TLS/SSL? AFAIK it uses NSS, too.
MerlinTHP
On RHEL, it's sssd -> openldap -> nss