You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Cathy Fauntleroy <ca...@vdtg.com> on 2015/03/14 15:02:17 UTC
[users@httpd] SSL Compression
Hello Everyone,
I have Apache 2.2.24 installed and I am attempting to disable compression.
I am editing the httpd.conf file and adding 'SSLCompression Off'. When I do
that, the Apache service does not start. The system log does not register
any meaningful error. Has anyone encountered this before?
Thanks.
Cathy Fauntleroy, Security+
Van Dyke Technology Group
Email: cathy.fauntleroy@vdtg.com <ma...@vdtg.com>
Office: (443) 832-4768
RE: [users@httpd] SSL Compression
Posted by Cathy Fauntleroy <ca...@vdtg.com>.
Igor,
Great information. I appreciate it!
Thanks…
Cathy Fauntleroy, Security+
Van Dyke Technology Group
Email: <ma...@vdtg.com> cathy.fauntleroy@vdtg.com
Office: (443) 832-4768
From: Igor Cicimov [mailto:icicimov@gmail.com]
Sent: Wednesday, March 18, 2015 5:50 PM
To: users
Subject: Re: [users@httpd] SSL Compression
On 19/03/2015 2:02 AM, "Daniel" <dferradal@gmail.com <ma...@gmail.com> > wrote:
>
> There is an exception, you can only use that directive in server config, that's why I asked about the context.
>
> If you set that up inside a virtualhost, it will probably will give you issues.
>
> --
> Daniel Ferradal
> IT Specialist
>
> email dferradal@gmail.com <ma...@gmail.com>
> linkedin es.linkedin.com/in/danielferradal <http://es.linkedin.com/in/danielferradal>
>
> 2015-03-16 5:48 GMT+01:00 Cathy Fauntleroy <cathy.fauntleroy@vdtg.com <ma...@vdtg.com> >:
>>
>> Daniel,
>>
>>
>>
>> Thanks for the response. I am running OpenSSL 0.9.8. I am attempting to secure TLS compression and mitigate the CRIME vulnerability by adding the following directive to the httpd.conf file:
>>
>>
>>
>> Implementation on Apache HTTP Server (mod_ssl)
>>
>> The following configuration block can be used in Apache HTTP Server 2.2+/2.4+ with mod_ssl. However, there is an exception of being able to turn off TLS/SSL Compression as this is only possible Apache HTTP Server 2.2.24/2.4.3+ using the SSLCompression directive.
>>
>>
>>
>> SSLProtocol ALL -SSLv2 -SSLv3
>>
>> SSLHonorCipherOrder On
>>
>> SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
>>
>> SSLCompression Off
>>
>> I am
>>
>>
>>
>> Thanks…
>>
>> Cathy Fauntleroy, Security+
>>
>> Van Dyke Technology Group
>>
>> Email: cathy.fauntleroy@vdtg.com <ma...@vdtg.com>
>>
>> Office: (443) 832-4768
>>
>>
>>
>> From: Daniel [mailto:dferradal@gmail.com <ma...@gmail.com> ]
>> Sent: Saturday, March 14, 2015 7:24 PM
>> To: <users@httpd.apache.org <ma...@httpd.apache.org> >
>> Subject: Re: [users@httpd] SSL Compression
>>
>>
>>
>>
>>
>>
>>
>> 2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy <cathy.fauntleroy@vdtg.com <ma...@vdtg.com> >:
>>>
>>> Hello Everyone,
>>>
>>>
>>>
>>> I have Apache 2.2.24 installed and I am attempting to disable compression. I am editing the httpd.conf file and adding ‘SSLCompression Off’. When I do that, the Apache service does not start. The system log does not register any meaningful error. Has anyone encountered this before?
>>>
>>>
>>>
>>> Thanks…
>>>
>>> Cathy Fauntleroy, Security+
>>>
>>> Van Dyke Technology Group
>>>
>>> Email: cathy.fauntleroy@vdtg.com <ma...@vdtg.com>
>>>
>>> Office: (443) 832-4768
>>>
>>>
>>
>>
>>
>> In which context are you trying to use it? Which openssl version do you use?
>>
>>
>>
>> --
>>
>> Daniel Ferradal
>>
>> IT Specialist
>>
>>
>>
>> email dferradal@gmail.com <ma...@gmail.com>
>>
>> linkedin es.linkedin.com/in/danielferradal <http://es.linkedin.com/in/danielferradal>
>
Yes you can use that in virtual host context. The problem is that you are trying to use cipher suites not supported by your openssl version. Check by running:
openssl ciphers -v
and check that the ciphers you have included in apache are in the list.
I also recommend you upgrade to openssl-1.0.1
Re: [users@httpd] SSL Compression
Posted by Igor Cicimov <ic...@gmail.com>.
On 19/03/2015 2:02 AM, "Daniel" <df...@gmail.com> wrote:
>
> There is an exception, you can only use that directive in server config,
that's why I asked about the context.
>
> If you set that up inside a virtualhost, it will probably will give you
issues.
>
> --
> Daniel Ferradal
> IT Specialist
>
> email dferradal@gmail.com
> linkedin es.linkedin.com/in/danielferradal
>
> 2015-03-16 5:48 GMT+01:00 Cathy Fauntleroy <ca...@vdtg.com>:
>>
>> Daniel,
>>
>>
>>
>> Thanks for the response. I am running OpenSSL 0.9.8. I am attempting
to secure TLS compression and mitigate the CRIME vulnerability by adding
the following directive to the httpd.conf file:
>>
>>
>>
>> Implementation on Apache HTTP Server (mod_ssl)
>>
>> The following configuration block can be used in Apache HTTP Server
2.2+/2.4+ with mod_ssl. However, there is an exception of being able to
turn off TLS/SSL Compression as this is only possible Apache HTTP Server
2.2.24/2.4.3+ using the SSLCompression directive.
>>
>>
>>
>> SSLProtocol ALL -SSLv2 -SSLv3
>>
>> SSLHonorCipherOrder On
>>
>> SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
>>
>> SSLCompression Off
>>
>> I am
>>
>>
>>
>> Thanks…
>>
>> Cathy Fauntleroy, Security+
>>
>> Van Dyke Technology Group
>>
>> Email: cathy.fauntleroy@vdtg.com
>>
>> Office: (443) 832-4768
>>
>>
>>
>> From: Daniel [mailto:dferradal@gmail.com]
>> Sent: Saturday, March 14, 2015 7:24 PM
>> To: <us...@httpd.apache.org>
>> Subject: Re: [users@httpd] SSL Compression
>>
>>
>>
>>
>>
>>
>>
>> 2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy <ca...@vdtg.com>:
>>>
>>> Hello Everyone,
>>>
>>>
>>>
>>> I have Apache 2.2.24 installed and I am attempting to disable
compression. I am editing the httpd.conf file and adding ‘SSLCompression
Off’. When I do that, the Apache service does not start. The system log
does not register any meaningful error. Has anyone encountered this before?
>>>
>>>
>>>
>>> Thanks…
>>>
>>> Cathy Fauntleroy, Security+
>>>
>>> Van Dyke Technology Group
>>>
>>> Email: cathy.fauntleroy@vdtg.com
>>>
>>> Office: (443) 832-4768
>>>
>>>
>>
>>
>>
>> In which context are you trying to use it? Which openssl version do you
use?
>>
>>
>>
>> --
>>
>> Daniel Ferradal
>>
>> IT Specialist
>>
>>
>>
>> email dferradal@gmail.com
>>
>> linkedin es.linkedin.com/in/danielferradal
>
Yes you can use that in virtual host context. The problem is that you are
trying to use cipher suites not supported by your openssl version. Check by
running:
openssl ciphers -v
and check that the ciphers you have included in apache are in the list.
I also recommend you upgrade to openssl-1.0.1
Re: [users@httpd] SSL Compression
Posted by Daniel <df...@gmail.com>.
There is an exception, you can only use that directive in server config,
that's why I asked about the context.
If you set that up inside a virtualhost, it will probably will give you
issues.
--
*Daniel Ferradal*
IT Specialist
email dferradal@gmail.com
linkedin es.linkedin.com/in/danielferradal
2015-03-16 5:48 GMT+01:00 Cathy Fauntleroy <ca...@vdtg.com>:
> Daniel,
>
>
>
> Thanks for the response. I am running OpenSSL 0.9.8. I am attempting to
> secure TLS compression and mitigate the CRIME vulnerability by adding the
> following directive to the httpd.conf file:
>
>
>
> Implementation on Apache HTTP Server (mod_ssl)
>
> The following configuration block can be used in Apache HTTP Server
> 2.2+/2.4+ with mod_ssl. However, there is an exception of being able to
> turn off TLS/SSL Compression as this is only possible Apache HTTP Server
> 2.2.24/2.4.3+ using the SSLCompression directive.
>
>
>
> SSLProtocol ALL -SSLv2 -SSLv3
>
> SSLHonorCipherOrder On
>
> SSLCipherSuite ECDH+AESGCM
> :DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3
> DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
>
> SSLCompression Off
>
> I am
>
>
>
> Thanks…
>
> *Cathy Fauntleroy,* *Security+*
>
> *Van Dyke Technology Group*
>
> *Email:** cathy.fauntleroy@vdtg.com <ca...@vdtg.com>*
>
> *Office: (443) 832-4768 <%28443%29%20832-4768>*
>
>
>
> *From:* Daniel [mailto:dferradal@gmail.com]
> *Sent:* Saturday, March 14, 2015 7:24 PM
> *To:* <us...@httpd.apache.org>
> *Subject:* Re: [users@httpd] SSL Compression
>
>
>
>
>
>
>
> 2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy <ca...@vdtg.com>:
>
> Hello Everyone,
>
>
>
> I have Apache 2.2.24 installed and I am attempting to disable
> compression. I am editing the httpd.conf file and adding ‘SSLCompression
> Off’. When I do that, the Apache service does not start. The system log
> does not register any meaningful error. Has anyone encountered this before?
>
>
>
> Thanks…
>
> *Cathy Fauntleroy,* *Security+*
>
> *Van Dyke Technology Group*
>
> *Email:** cathy.fauntleroy@vdtg.com <ca...@vdtg.com>*
>
> *Office: (443) 832-4768 <%28443%29%20832-4768>*
>
>
>
>
>
> In which context are you trying to use it? Which openssl version do you
> use?
>
>
>
> --
>
> *Daniel Ferradal*
>
> IT Specialist
>
>
>
> email dferradal@gmail.com
>
> linkedin es.linkedin.com/in/danielferradal
>
RE: [users@httpd] SSL Compression
Posted by Cathy Fauntleroy <ca...@vdtg.com>.
Daniel,
Thanks for the response. I am running OpenSSL 0.9.8. I am attempting to secure TLS compression and mitigate the CRIME vulnerability by adding the following directive to the httpd.conf file:
Implementation on Apache HTTP Server (mod_ssl)
The following configuration block can be used in Apache HTTP Server 2.2+/2.4+ with mod_ssl. However, there is an exception of being able to turn off TLS/SSL Compression as this is only possible Apache HTTP Server 2.2.24/2.4.3+ using the SSLCompression directive.
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
SSLCompression Off
I am
Thanks…
Cathy Fauntleroy, Security+
Van Dyke Technology Group
Email: <ma...@vdtg.com> cathy.fauntleroy@vdtg.com
Office: (443) 832-4768
From: Daniel [mailto:dferradal@gmail.com]
Sent: Saturday, March 14, 2015 7:24 PM
To: <us...@httpd.apache.org>
Subject: Re: [users@httpd] SSL Compression
2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy <cathy.fauntleroy@vdtg.com <ma...@vdtg.com> >:
Hello Everyone,
I have Apache 2.2.24 installed and I am attempting to disable compression. I am editing the httpd.conf file and adding ‘SSLCompression Off’. When I do that, the Apache service does not start. The system log does not register any meaningful error. Has anyone encountered this before?
Thanks…
Cathy Fauntleroy, Security+
Van Dyke Technology Group
Email: cathy.fauntleroy@vdtg.com <ma...@vdtg.com>
Office: (443) 832-4768 <tel:%28443%29%20832-4768>
In which context are you trying to use it? Which openssl version do you use?
--
Daniel Ferradal
IT Specialist
email <ma...@gmail.com> dferradal@gmail.com
linkedin <http://es.linkedin.com/in/danielferradal> es.linkedin.com/in/danielferradal
Re: [users@httpd] SSL Compression
Posted by Daniel <df...@gmail.com>.
2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy <ca...@vdtg.com>:
> Hello Everyone,
>
>
>
> I have Apache 2.2.24 installed and I am attempting to disable
> compression. I am editing the httpd.conf file and adding ‘SSLCompression
> Off’. When I do that, the Apache service does not start. The system log
> does not register any meaningful error. Has anyone encountered this before?
>
>
>
> Thanks…
>
> *Cathy Fauntleroy,* *Security+*
>
> *Van Dyke Technology Group*
>
> *Email:** cathy.fauntleroy@vdtg.com <ca...@vdtg.com>*
>
> *Office: (443) 832-4768 <%28443%29%20832-4768>*
>
>
>
In which context are you trying to use it? Which openssl version do you use?
--
*Daniel Ferradal*
IT Specialist
email dferradal@gmail.com
linkedin es.linkedin.com/in/danielferradal