Mailing List Archive: exim: dev

Support for SSL compression

Index | Next | Previous | View Threaded

gvz at 2scale

May 11, 2005, 9:20 AM

Post #1 of 5 (153 views)
Permalink

Support for SSL compression

Hi,

Since May 2004, an RFC (3749) exists, that finally assigned a code (1)
to the deflate compression method for usage with TLS. Already SSL 3.0
introduced compression negotiation in the "SSL Hello" commands.

GnuTLS current version supports deflate by default. OpenSSL does also
support SSL deflate compression, but you have to register it.

So, with rather minor changes, we could make both API versions "compression
aware".

What I wonder is if anybody has thought about that / discussed it.

In tls-gnu.c, deflate-compression is more or less actively excluded (by
only specifying the "NUL" compression). Is there a reason for this?
The length of the compression priority list suggests Nikos Mavroyanopoulos
originally intended to make this configurable.

If nobody has concerns, I'd like to write an Exim path to enable
compression. It would be a nice "marketing" feature for an upcoming
release.

Kind regards,

Georg v.Zezschwitz

ph10 at cus

May 12, 2005, 1:12 AM

Post #2 of 5 (155 views)
Permalink

Re: Support for SSL compression [In reply to]

On Wed, 11 May 2005, Georg v. Zezschwitz wrote:

> So, with rather minor changes, we could make both API versions "compression
> aware".
>
> What I wonder is if anybody has thought about that / discussed it.

Not to my knowledge. I personally was not even aware of the feature (I
am not a TLS expert).

> In tls-gnu.c, deflate-compression is more or less actively excluded (by
> only specifying the "NUL" compression). Is there a reason for this?

The code was original supplied by Nikos Mavroyanopoulos for an early
version of GnuTLS. He may have had a reson. Also, I expect GnuTLS has
changed.

> If nobody has concerns, I'd like to write an Exim path to enable
> compression. It would be a nice "marketing" feature for an upcoming
> release.

Sure. I will certainly consider any patches you may contribute.

--
Philip Hazel University of Cambridge Computing Service,
ph10 [at] cus Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book

gvz at 2scale

May 12, 2005, 3:23 AM

Post #3 of 5 (150 views)
Permalink

Re: Support for SSL compression [In reply to]

On Thu, May 12, 2005 at 09:12:08AM +0100, Philip Hazel wrote:
...
> > If nobody has concerns, I'd like to write an Exim path to enable
> > compression. It would be a nice "marketing" feature for an upcoming
> > release.
>
> Sure. I will certainly consider any patches you may contribute.

Basic idea:

1) Adding a global option "tls_supported_compression" to select compression
protocols to be supported for incoming connections.
e.g.: "DEFLATE:NULL".
Default should be all std-protocols that the SSL-stack supports.

2) Adding an smtp transport option "tls_prefered_compression" which contains the
list of prefered compression protocols: E.g.:
"DEFLATE:NULL"
or
"NULL"

3) Extending the logfile to log the compression protocol:

E.g:
... X=TLS-1.0:RSA_3DES_EDE_CBC_SHA:24

Any comments?

Hopefully my wife will give me some time this weekend :-)

Regards,

Georg

gvz at 2scale

May 12, 2005, 3:28 AM

Post #4 of 5 (149 views)
Permalink

Re: Support for SSL compression [In reply to]

On Thu, May 12, 2005 at 12:23:40PM +0200, Georg v. Zezschwitz wrote:
...
> 3) Extending the logfile to log the compression protocol:
>
> E.g:
> ... X=TLS-1.0:RSA_3DES_EDE_CBC_SHA:24

Hmpffh.

Should be:

Extending $tls_cipher to the format:

<protocol>:<cipher>:<bits>:<compression>

with compression = (NULL|DEFLATE|STAC) for now.

ph10 at cus

May 13, 2005, 1:13 AM

Post #5 of 5 (149 views)
Permalink

Re: Support for SSL compression [In reply to]

On Thu, 12 May 2005, Georg v. Zezschwitz wrote:

> 1) Adding a global option "tls_supported_compression" to select compression
> protocols to be supported for incoming connections.
> e.g.: "DEFLATE:NULL".
> Default should be all std-protocols that the SSL-stack supports.

Could save a bit of typing by calling is "tls_support_compression" (but
I don't really mind).

> 2) Adding an smtp transport option "tls_prefered_compression" which contains the
> list of prefered compression protocols: E.g.:
> "DEFLATE:NULL"
> or
> "NULL"

Why not call it "tls_support_compression" as well? Compare
tls_require_ciphers and tls_verify_certificates, which exist both as
main options and as smtp transport options. Besides, people may have
trouble remembering how to spell "preferred" :-)
^^
> Extending $tls_cipher to the format:
>
> <protocol>:<cipher>:<bits>:<compression>
>
> with compression = (NULL|DEFLATE|STAC) for now.

Seems OK to me.

> Hopefully my wife will give me some time this weekend :-)

Good luck!

Regards,
Philip

--
Philip Hazel University of Cambridge Computing Service,
ph10 [at] cus Cambridge, England. Phone: +44 1223 334714.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads