httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cathy Fauntleroy" <cathy.fauntle...@vdtg.com>
Subject RE: [users@httpd] SSL Compression
Date Wed, 18 Mar 2015 23:41:20 GMT
Igor,

 

Great information. I appreciate it!

 

Thanks…



Cathy Fauntleroy, Security+

Van Dyke Technology Group

Email:   <mailto:cathy.fauntleroy@vdtg.com> cathy.fauntleroy@vdtg.com

Office:  (443) 832-4768

 

From: Igor Cicimov [mailto:icicimov@gmail.com] 
Sent: Wednesday, March 18, 2015 5:50 PM
To: users
Subject: Re: [users@httpd] SSL Compression

 


On 19/03/2015 2:02 AM, "Daniel" <dferradal@gmail.com <mailto:dferradal@gmail.com>
> wrote:
>
> There is an exception, you can only use that directive in server config, that's why I
asked about the context.
>
> If you set that up inside a virtualhost, it will probably will give you issues.
>
> -- 
> Daniel Ferradal
> IT Specialist
>
> email         dferradal@gmail.com <mailto:dferradal@gmail.com> 
> linkedin     es.linkedin.com/in/danielferradal <http://es.linkedin.com/in/danielferradal>

>
> 2015-03-16 5:48 GMT+01:00 Cathy Fauntleroy <cathy.fauntleroy@vdtg.com <mailto:cathy.fauntleroy@vdtg.com>
>:
>>
>> Daniel,
>>
>>  
>>
>> Thanks for the response.  I am running OpenSSL 0.9.8.  I am attempting to secure
TLS compression and mitigate the CRIME vulnerability by adding the following directive to
the httpd.conf file:
>>
>>  
>>
>> Implementation on Apache HTTP Server (mod_ssl)
>>
>> The following configuration block can be used in Apache HTTP Server 2.2+/2.4+ with
mod_ssl. However, there is an exception of being able to turn off TLS/SSL Compression as this
is only possible Apache HTTP Server 2.2.24/2.4.3+ using the SSLCompression directive.
>>
>>  
>>
>> SSLProtocol ALL -SSLv2 -SSLv3
>>
>> SSLHonorCipherOrder On
>>
>> SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
>>
>> SSLCompression Off
>>
>> I am
>>
>>  
>>
>> Thanks…
>>
>> Cathy Fauntleroy, Security+
>>
>> Van Dyke Technology Group
>>
>> Email:  cathy.fauntleroy@vdtg.com <mailto:cathy.fauntleroy@vdtg.com> 
>>
>> Office:  (443) 832-4768
>>
>>  
>>
>> From: Daniel [mailto:dferradal@gmail.com <mailto:dferradal@gmail.com> ] 
>> Sent: Saturday, March 14, 2015 7:24 PM
>> To: <users@httpd.apache.org <mailto:users@httpd.apache.org> >
>> Subject: Re: [users@httpd] SSL Compression
>>
>>  
>>
>>  
>>
>>  
>>
>> 2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy <cathy.fauntleroy@vdtg.com <mailto:cathy.fauntleroy@vdtg.com>
>:
>>>
>>> Hello Everyone,
>>>
>>>  
>>>
>>> I have Apache 2.2.24 installed and I am attempting to disable compression.  I
am editing the httpd.conf file and adding ‘SSLCompression Off’.  When I do that, the Apache
service does not start.  The system log does not register any meaningful error.  Has anyone
encountered this before?
>>>
>>>  
>>>
>>> Thanks…
>>>
>>> Cathy Fauntleroy, Security+
>>>
>>> Van Dyke Technology Group
>>>
>>> Email:  cathy.fauntleroy@vdtg.com <mailto:cathy.fauntleroy@vdtg.com> 
>>>
>>> Office:  (443) 832-4768
>>>
>>>  
>>
>>
>>
>> In which context are you trying to use it? Which openssl version do you use?
>>
>>  
>>
>> --
>>
>> Daniel Ferradal
>>
>> IT Specialist
>>
>>  
>>
>> email         dferradal@gmail.com <mailto:dferradal@gmail.com> 
>>
>> linkedin     es.linkedin.com/in/danielferradal <http://es.linkedin.com/in/danielferradal>

>
Yes you can use that in virtual host context. The problem is that you are trying to use cipher
suites not supported by your openssl version. Check by running:

openssl ciphers -v

and check that the ciphers you have included in apache are in the list.

I also recommend you upgrade to openssl-1.0.1


Mime
View raw message