[patch] more TLS configuration options for nnrpd

Julien ÉLIE julien at trigofacile.com
Sun Nov 9 17:56:46 UTC 2014


Hi all,

>> I like having control for TLS settings; although sensible defaults are
>> generally much more impportant. But I do not understand why this
>> specific compression setting is unconditional. To exploit CRIME requires
>> a huge amount of carefully triggered, very similar, but slightly
>> different server responses. I see no way to exploit this in the Netnews
>> context.
>
> There are several places where the server will echo back a message ID
> given as input.  LIST ACTIVE on a bunch of group names in the same
> hierarchy might do it as well.  I'm not sure how close the responses need
> to be.

Would this CRIME exploit imply that using compression with encrypted 
data is not secure?  (Therefore, a possible COMPRESS command for the 
NNTP protocol should not be used at the same time as an encrypted 
layer...  We would then have to choose between compression or encryption!)

-- 
Julien ÉLIE

« Confessio est regina probatio. »


More information about the inn-workers mailing list