> From: Howard Chu > Sent: Monday, December 07, 2015 6:26 AM > > OpenLDAP does not enable compression so there is nothing to disable.
Hmm, that's not what I am seeing. Using the latest sslscan: ----------------------- $ sslscan ldap.cpp.edu:636 Version: 1.10.6 OpenSSL 1.0.1p 9 Jul 2015 Testing SSL server ldap.cpp.edu on port 636 TLS renegotiation: Secure session renegotiation supported TLS Compression: Compression enabled (CRIME) [...] --------------------- shows that compression is enabled. As does Wireshark when sniffing the packets over the wire. This is with openssl, perhaps gnutls behaves differently? > The CRIME attack does not work against LDAP or other stateful protocols > where credentials are only sent once. Great, thanks much for clarifying that for me.
