logs archiveBotHelp.net / Freenode / #389 / 2015 / August / 4 / 1
when enabled by the server does tls/ssl use compression by default ?
gregwork: you don't want to use TLS compression. It's a security risk.
gregwork: the CRIME attack is only possible with TLS compression enabled.
yes i just want to know if it is a default
if we enable/require tls/ssl
in the server config
gregwork: I don't see SSL_ENABLE_DEFLATE in the source code of 398.
gregwork: The default setting of NSS is 'no TLS compression'. That probably means TLS compression is neither enabled nor supported.
ok cool, thanks
gregwork: but I can't tell you for sure.
gregwork: it also depends on the client library. IIRC in order to have TLS compression the server must support it and the client must opt in.
afiak, sssd / openssl
as the client
talking to the server
Do you know how to use wireshark? It has an excellent SSL traffic analyzer. You can easily check if the handshake has the compression bit set.
Does sssd use OpenSSL for TLS/SSL? AFAIK it uses NSS, too.
On RHEL, it's sssd -> openldap -> nss