[patch] more TLS configuration options for nnrpd
Johan van Selst
johans at stack.nl
Sun Nov 9 09:59:31 UTC 2014
christian mock wrote:
> Additionally, TLS compression is turned off unconditionally (because
> of the CRIME attack) if the OpenSSL version supports this.
I like having control for TLS settings; although sensible defaults are
generally much more impportant. But I do not understand why this
specific compression setting is unconditional. To exploit CRIME requires
a huge amount of carefully triggered, very similar, but slightly
different server responses. I see no way to exploit this in the Netnews
context. And even if you somehow were able to exploit this and decipher
a couple of bytes of encrypted data sent by the server, I do not see
what an attacker would gain by this in the given context.
However, I do see the advantage of TLS compression to reduce the amount
of data transferred.
What do you hope to gain with this setting, and why is it unconditional?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 195 bytes
Desc: not available
More information about the inn-workers