14

I read about the CRIME attack against TLS Compression (CVE-2012-4929, CRIME is a successor to the BEAST attack against ssl & tls), and I want to protect my webservers against this attack by disabling SSL Compression, which was added to Apache 2.2.22 (See Bug 53219).

I am running Scientific Linux 6.3, which ships with httpd-2.2.15. Security fixes for upstream versions of httpd 2.2 should be backported to this version.

# rpm -q httpd
httpd-2.2.15-15.sl6.1.x86_64

# httpd -V
Server version: Apache/2.2.15 (Unix)
Server built:   Feb 14 2012 09:47:14
Server's Module Magic Number: 20051115:24
Server loaded:  APR 1.3.9, APR-Util 1.3.9
Compiled using: APR 1.3.9, APR-Util 1.3.9

I tried SSLCompression off in my configuration, but that results in the following error message:

# /etc/init.d/httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: Syntax error on line 147 of /etc/httpd/httpd.conf:
Invalid command 'SSLCompression', perhaps misspelled or defined by a module not included in the server configuration
                                                           [FAILED]

Is it possible to disable SSLCompression with this version of Apache Webserver?

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184

1 Answers1

21

On March 4, 2013, Red Hat provided updated OpenSSL packages which address this issue. You can receive them through your normal update channels.

The original answer was:


Red Hat has not provided an updated package which provides this functionality, though there is a workaround available. Edit the /etc/sysconfig/httpd file and add this line to it:

export OPENSSL_NO_DEFAULT_ZLIB=1

Then restart Apache:

service httpd restart

This will cause OpenSSL, which provides crypto functions for Apache, to not offer compression.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940