small patch to enable openssl's elliptic curve Diffie-Hellman

Chris Panayis chris at movency.com
Mon Jan 21 04:59:12 EST 2013


> 
> It also SSL_CTX_set_options(SSL_OP_NO_COMPRESSION).
> 
> Why?  And if that's a good thing, shouldn't it be on a patch of its
own?

It should be it's own patch. It is probably a bad thing to disable
compression )-;

However, I think it's a good thing to disable in response to crime
attack: http://en.wikipedia.org/wiki/CRIME_%28security_exploit%29

I am unclear on:

a) how this interacts with cyrus and rfc4978
http://www.ietf.org/rfc/rfc4978.txt - should IMAP COMPRESS also be
disabled for secure connections?

b) whether this is a real problem or not in the imap/pop3/smtp world.
Can an attacker inject client requests? Do imap clients offer this
facility? Maybe the biggest risk is when password authentication is used
within the TLS stream? I must admit I can't seem to make up my mind on
this.

Hence, follow https crypto folks warnings and disable it. Haven't heard
of any network meltdown due to less https compression..

Or, just do nothing as there is no known exploit.

I could re-write the patch to make it configurable?

Chris



More information about the Cyrus-devel mailing list