Configuring CRIME Exploit Protection

CRIME (Compression Ratio Info-Leak Made Easy) is a security exploit that can be used to guess the content of messages that are being compressed and sent over a TLS connection. On such connections, the event broker protects against CRIME attacks by resetting the compression engine on a per-message basis.

CRIME protection is enabled by default on a system-wide basis, but it's possible to disable it if necessary.

Most connections on the event broker have TLS compression disabled and therefore aren't vulnerable to the CRIME exploit. For these connections, this switch is not needed and has no effect.

How to determine if CRIME protection is enabled or disabled

You can use the following show command to display whether CRIME protection is enabled or disabled:

solace(configure)# show ssl crime-exploit-protection

You'll see an output that looks something like this example, where CRIME protection is shown to be enabled:

CRIME Exploit Protection : Yes

Questions to consider before disabling CRIME protection

Having CRIME protection enabled can have a significant impact on performance, especially at smaller message sizes, so it's possible to disable it if necessary.

However, before disabling you should consider these 3 yes-or-no questions regarding the capabilities of a potential attacker:

Is the chance low that ...

  1. ... an attacker could connect to the event broker as a client? That is, is it of low probability that the connection isn't blocked by a connect-ACL.
  2. Refer to Configuring Client Connect Authorization for instructions on how to use ACLs to control which clients can connect.

  3. ... an attacker has authentication credentials to log into the event broker as a client?
  4. Refer to Configuring Client Authentication for instructions on selecting and using client authentication schemes that specify what credentials that a connecting client can provide to an event broker for authentication.

  5. ... an attacker is allowed to publish messages on topics clients under attack are subscribed to? In other words, is it of low probability that an attacker has a publisher-ACL that allows publishing to applicable topics?
  6. Refer to Configuring Topic Publish Permissions for instructions on how to use ACLs to control the topics to which clients are allowed to publish.

If you've answered "yes, the chances are low" to at least one of the above questions, you can go ahead and disable CRIME protection using the following command:

solace(configure)# no ssl crime-exploit-protection

Performance improvements when disabling CRIME protection

Disabling CRIME protection improves message throughput for subscribers that use both SSL and compression.

What are the likely improvements to throughput?

Gains will be highest for Direct messaging subscribers, who may see up to a 500% improvement in throughput. Guaranteed messaging subscribers could see up to a 150% improvement. As a consequence, there will also be corresponding improvements in Message VPN Bridge throughput.

Improvements to throughput drop as message size increases

For Direct subscribers, as message size approaches 10240 bytes, performance improvements drop to zero. For Guaranteed message subscribers, the zero improvement mark is passed as message size approaches 1024 bytes.

Re-enabling CRIME protection

As noted in the introduction, CRIME protection is enabled by default on a system-wide basis, but if you've disabled it, you can re-enable it using the following command:

solace(configure)# ssl crime-exploit-protection

Using a configuration key to enable or disable CRIME protection

If you're using a software event broker you can specify the state of CRIME protection when the event broker is created by using the tls/crimeexploitprotection/enable configuration key. For more information about this and the other configuration keys refer to Configuration Keys for the Software Event Broker.