[patch] more TLS configuration options for nnrpd

Russ Allbery eagle at eyrie.org
Sun Nov 9 17:16:15 UTC 2014


Johan van Selst <johans at stack.nl> writes:

> I like having control for TLS settings; although sensible defaults are
> generally much more impportant. But I do not understand why this
> specific compression setting is unconditional. To exploit CRIME requires
> a huge amount of carefully triggered, very similar, but slightly
> different server responses. I see no way to exploit this in the Netnews
> context.

There are several places where the server will echo back a message ID
given as input.  LIST ACTIVE on a bunch of group names in the same
hierarchy might do it as well.  I'm not sure how close the responses need
to be.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list