[patch] more TLS configuration options for nnrpd

Julien ÉLIE julien at trigofacile.com
Sun Nov 9 17:56:46 UTC 2014

Hi all,

>> I like having control for TLS settings; although sensible defaults are
>> generally much more impportant. But I do not understand why this
>> specific compression setting is unconditional. To exploit CRIME requires
>> a huge amount of carefully triggered, very similar, but slightly
>> different server responses. I see no way to exploit this in the Netnews
>> context.
> There are several places where the server will echo back a message ID
> given as input.  LIST ACTIVE on a bunch of group names in the same
> hierarchy might do it as well.  I'm not sure how close the responses need
> to be.

Would this CRIME exploit imply that using compression with encrypted 
data is not secure?  (Therefore, a possible COMPRESS command for the 
NNTP protocol should not be used at the same time as an encrypted 
layer...  We would then have to choose between compression or encryption!)

Julien ÉLIE

« Confessio est regina probatio. »

More information about the inn-workers mailing list