On 03/15/2015 02:25 PM, Marco Gaiarin wrote:
> Mandi! Jan Ingvoldstad
> In chel di` si favelave...
>
>> I won't directly answer the question, but I would advise you to consider
>> the consequences of enabling TLS compression.
>
> Ok, but supposing i want to give it a try for testing purpose, it suffices
> to do something like:
>
> tls_require_ciphers = NORMAL:COMP-ALL:!VERS-SSL3.0
>
> right? Or it is too strict to 'require' compression?
>
> Thanks.
The issue with requiring compression is that other MTAs could be
configured to disallow it due to the security issues (which is the
general recommendation at least for web servers), in which case the
MTA transfer over TLS will likely fail and fall back to using an
unencrypted transfer. And where it does work, I think there's a fair
chance that compression lowers the security of the TLS session.
https://en.wikipedia.org/wiki/Transport_Layer_Security#CRIME_and_BREACH_attacks
It's also notable that compression has been removed in the TLS 1.3
draft:
https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3_.28draft.29
-- Chris
--
Chris Knadle
Chris.Knadle@???
