[patch] more TLS configuration options for nnrpd

Johan van Selst johans at stack.nl
Sun Nov 9 09:59:31 UTC 2014


Hi Christian,

christian mock wrote:
> Additionally, TLS compression is turned off unconditionally (because
> of the CRIME attack) if the OpenSSL version supports this.

I like having control for TLS settings; although sensible defaults are
generally much more impportant. But I do not understand why this
specific compression setting is unconditional. To exploit CRIME requires
a huge amount of carefully triggered, very similar, but slightly
different server responses. I see no way to exploit this in the Netnews
context. And even if you somehow were able to exploit this and decipher
a couple of bytes of encrypted data sent by the server, I do not see
what an attacker would gain by this in the given context.
However, I do see the advantage of TLS compression to reduce the amount
of data transferred.

What do you hope to gain with this setting, and why is it unconditional?


Regards,
Johan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20141109/48b377c2/attachment.bin>


More information about the inn-workers mailing list