I have one sever running on Apache 2.2.16. I run the VA scanner on the server. According to the VA report it is recommended that SSL/TLS compression should be off. I tried to search google, but didnt find any helpful. Can anybody tell me how to set it off in Apache 2.2.16 without upgrading the version.
-
It's off by default unless you enable SSL and install the appropriate certs. – mdpc May 17 '13 at 06:28
-
SSL is enabled, but now i want to disable the compression.How to do it??? – NapdaN May 17 '13 at 06:52
3 Answers
Sometimes, even with the latest version of Apache, if the current openssl library is not enough recent, the server returns the following error:
Invalid command 'SSLCompression', perhaps misspelled or defined by a module not included in the server configuration.
In this case you can disable the compression exporting the following variable before start Apache httpd server:
export OPENSSL_NO_DEFAULT_ZLIB=1
I have found the suggestion here:
You'll have to upgrade to at least version 2.2.24 to be able to do this.
From version 2.2.24 and up you can disallow SSL compression on the server level or for individual vhosts with the following directive:
SSLCompression off
So for a single vhost you can disallow it like this:
<VirtualHost *:443>
ServerName "my.example.com"
DocumentRoot "/var/www/html"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCompression off # disallow for this vhost
SSLCertificateFile /etc/ssl/my.example.com.crt
SSLCertificateKeyFile /etc/ssl/my.example.com.key
</VirtualHost>
Reference: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
- 24,907
- 4
- 62
- 95
I don't have enough points to upvote or comment on other replies, so I'll chime in here. As Mathias states, you need at least 2.2.24 to disable compression.
SSLCompression off
Just be aware, it DOES NOT work inside a virtualhost directive in 2.2.25, as my server just spat out:
This version of openssl does not support configuring compression within <VirtualHost> sections.
However, it works perfectly fine in the main httpd.conf file for server-wide effect.
- 1