How to disable SSLCompression on Apache httpd 2.2.15? (Defense against CRIME/BEAST)
On March 4, 2013, Red Hat provided updated OpenSSL packages which address this issue. You can receive them through your normal update channels.
The original answer was:
Red Hat has not provided an updated package which provides this functionality, though there is a workaround available. Edit the /etc/sysconfig/httpd file and add this line to it:
export OPENSSL_NO_DEFAULT_ZLIB=1
Then restart Apache:
service httpd restart
This will cause OpenSSL, which provides crypto functions for Apache, to not offer compression.
Related videos on Youtube
04 : 33
04 : 23
01 : 26
01 : 38
02 : 08
Stefan Lasiewski
Stefan Lasiewski Daddy, Linux Guy, Bicyclist, Tinkerer, Fixer & Breaker of things. I work as a Senior SYstem Engineer at the National Energy Research Scientific Computing Center (NERSC) Division at Lawrence Berkeley National Laboratory (LBNL) in Berkeley, CA. Father of 3 cute children. Yes I'm a sysadmin and a parent. Heavy user of CentOS, RHEL & FreeBSD for production services at work. I also run Ubuntu at home, for the simplicity. I'm a fan of Apache HTTP Server, Nagios & Cacti. Original proposer of unix.stackexchange.com (Yes, this proposal predated askubuntu.com, and I wish they would have merged with the Unix proposal.).
Updated on September 18, 2022Comments
-
Stefan Lasiewski over 1 year
I read about the CRIME attack against TLS Compression (CVE-2012-4929, CRIME is a successor to the BEAST attack against ssl & tls), and I want to protect my webservers against this attack by disabling SSL Compression, which was added to Apache 2.2.22 (See Bug 53219).
I am running Scientific Linux 6.3, which ships with httpd-2.2.15. Security fixes for upstream versions of httpd 2.2 should be backported to this version.
# rpm -q httpd httpd-2.2.15-15.sl6.1.x86_64 # httpd -V Server version: Apache/2.2.15 (Unix) Server built: Feb 14 2012 09:47:14 Server's Module Magic Number: 20051115:24 Server loaded: APR 1.3.9, APR-Util 1.3.9 Compiled using: APR 1.3.9, APR-Util 1.3.9I tried SSLCompression off in my configuration, but that results in the following error message:
# /etc/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: Syntax error on line 147 of /etc/httpd/httpd.conf: Invalid command 'SSLCompression', perhaps misspelled or defined by a module not included in the server configuration [FAILED]Is it possible to disable SSLCompression with this version of Apache Webserver?
-
sjbotha about 11 yearsWhat about mod_deflate? Shouldn't that be disabled as well? -
Michael Hampton about 11 yearsNo, that's irrelevant.