10

Is there a way to disable SSL/TLS Compression in Apache 2.2.x when using mod_ssl?

If not, what are people doing to mitigate the effects of CRIME/BEAST in older browsers?

Related Links:

  1. https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
  2. https://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512
  3. https://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor
Community
  • 1
DevGav
  • 315
  • 2
  • 3
  • 8

1 Answers1

14

You can use SSLCompression off if you're on 2.2.24 or later.

If not, you can set the OPENSSL_NO_DEFAULT_ZLIB environment variable to force compression off in OpenSSL - see this question.

Community
  • 1
Shane Madden
  • 112,982
  • 12
  • 174
  • 248