Configuring CRIME Exploit Protection
CRIME (Compression Ratio Info-Leak Made Easy) is a security exploit that can be used to guess the content of messages that are being compressed and sent over a TLS connection. On such connections, the event broker protects against CRIME attacks by resetting the compression engine on a per-message basis.
CRIME protection is enabled by default on a system-wide basis, but it's possible to disable it if necessary.
You can use the following
show command to display whether CRIME protection is enabled or disabled:
solace(configure)# show ssl crime-exploit-protection
You'll see an output that looks something like this example, where CRIME protection is shown to be enabled:
CRIME Exploit Protection : Yes
Having CRIME protection enabled can have a significant impact on performance, especially at smaller message sizes, so it's possible to disable it if necessary.
However, before disabling you should consider these 3 yes-or-no questions regarding the capabilities of a potential attacker:
Is the chance low that ...
- ... an attacker could connect to the event broker as a client? That is, is it of low probability that the connection isn't blocked by a connect-ACL.
- ... an attacker has authentication credentials to log into the event broker as a client?
- ... an attacker is allowed to publish messages on topics clients under attack are subscribed to? In other words, is it of low probability that an attacker has a publisher-ACL that allows publishing to applicable topics?
Refer to Configuring Client Connect Authorization for instructions on how to use ACLs to control which clients can connect.
Refer to Configuring Client Authentication for instructions on selecting and using client authentication schemes that specify what credentials that a connecting client can provide to an event broker for authentication.
Refer to Configuring Topic Publish Permissions for instructions on how to use ACLs to control the topics to which clients are allowed to publish.
If you've answered "yes, the chances are low" to at least one of the above questions, you can go ahead and disable CRIME protection using the following command:
solace(configure)# no ssl crime-exploit-protection
Disabling CRIME protection improves message throughput for subscribers that use both SSL and compression.
What are the likely improvements to throughput?
Gains will be highest for Direct messaging subscribers, who may see up to a 500% improvement in throughput. Guaranteed messaging subscribers could see up to a 150% improvement. As a consequence, there will also be corresponding improvements in Message VPN Bridge throughput.
Improvements to throughput drop as message size increases
For Direct subscribers, as message size approaches 10240 bytes, performance improvements drop to zero. For Guaranteed message subscribers, the zero improvement mark is passed as message size approaches 1024 bytes.
As noted in the introduction, CRIME protection is enabled by default on a system-wide basis, but if you've disabled it, you can re-enable it using the following command:
solace(configure)# ssl crime-exploit-protection
If you're using a software event broker you can specify the state of CRIME protection when the event broker is created by using the
tls/crimeexploitprotection/enable configuration key. For more information about this and the other configuration keys refer to Configuration Keys for the Software Event Broker.