Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DB48217614 for ; Wed, 18 Mar 2015 21:50:56 +0000 (UTC) Received: (qmail 48163 invoked by uid 500); 18 Mar 2015 21:50:48 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 48128 invoked by uid 500); 18 Mar 2015 21:50:48 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 48116 invoked by uid 99); 18 Mar 2015 21:50:48 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Mar 2015 21:50:48 +0000 X-ASF-Spam-Status: No, hits=2.5 required=5.0 tests=FREEMAIL_REPLY,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of icicimov@gmail.com designates 209.85.212.182 as permitted sender) Received: from [209.85.212.182] (HELO mail-wi0-f182.google.com) (209.85.212.182) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Mar 2015 21:50:23 +0000 Received: by wifj2 with SMTP id j2so51710229wif.1 for ; Wed, 18 Mar 2015 14:49:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=0gapxENOsWVLlK33sOsjrzZp5kRSwLPZgBatxT5bBg8=; b=nZprhFcnWv6BQEYLBs2301LMNtuUqMOrkAWAo/hLkBnmaheCSN89q7f8P/KcEejuTO NP9oSCuRv80ZQVsZN0LOrypabuZllRPIp9XyRHyGY0SDVnX0ccSjUbD+RDkolnVgJj3B kn/ZecD4bbygQTyQMBLoVUbLxcw30T6xfShl3CVJIWNH73aFGXYA7KhTgEw/u0jg+ko/ umCtEWz4D+akSOhYlj6TZXk5e1aUWgL2bZSwf0zt7aSss8kVKnnKZL7R7/urZpXRZd56 JV8A7/jDUTI+idA08cdbbK0hjEwHQUy4NI5Lw7l08gJJB5l6QqWTZrwheW/U1ZtObXeX 2bAg== MIME-Version: 1.0 X-Received: by 10.180.78.202 with SMTP id d10mr10573262wix.25.1426715377371; Wed, 18 Mar 2015 14:49:37 -0700 (PDT) Received: by 10.28.96.212 with HTTP; Wed, 18 Mar 2015 14:49:37 -0700 (PDT) Received: by 10.28.96.212 with HTTP; Wed, 18 Mar 2015 14:49:37 -0700 (PDT) In-Reply-To: References: <000001d05e5f$7be629d0$73b27d70$@vdtg.com> <000b01d05fa4$7dd41270$797c3750$@vdtg.com> Date: Thu, 19 Mar 2015 08:49:37 +1100 Message-ID: From: Igor Cicimov To: users Content-Type: multipart/alternative; boundary=f46d043c0848438d690511970f99 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] SSL Compression --f46d043c0848438d690511970f99 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 19/03/2015 2:02 AM, "Daniel" wrote: > > There is an exception, you can only use that directive in server config, that's why I asked about the context. > > If you set that up inside a virtualhost, it will probably will give you issues. > > -- > Daniel Ferradal > IT Specialist > > email dferradal@gmail.com > linkedin es.linkedin.com/in/danielferradal > > 2015-03-16 5:48 GMT+01:00 Cathy Fauntleroy : >> >> Daniel, >> >> >> >> Thanks for the response. I am running OpenSSL 0.9.8. I am attempting to secure TLS compression and mitigate the CRIME vulnerability by adding the following directive to the httpd.conf file: >> >> >> >> Implementation on Apache HTTP Server (mod_ssl) >> >> The following configuration block can be used in Apache HTTP Server 2.2+/2.4+ with mod_ssl. However, there is an exception of being able to turn off TLS/SSL Compression as this is only possible Apache HTTP Server 2.2.24/2.4.3+ using the SSLCompression directive. >> >> >> >> SSLProtocol ALL -SSLv2 -SSLv3 >> >> SSLHonorCipherOrder On >> >> SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH= +3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5 >> >> SSLCompression Off >> >> I am >> >> >> >> Thanks=E2=80=A6 >> >> Cathy Fauntleroy, Security+ >> >> Van Dyke Technology Group >> >> Email: cathy.fauntleroy@vdtg.com >> >> Office: (443) 832-4768 >> >> >> >> From: Daniel [mailto:dferradal@gmail.com] >> Sent: Saturday, March 14, 2015 7:24 PM >> To: >> Subject: Re: [users@httpd] SSL Compression >> >> >> >> >> >> >> >> 2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy : >>> >>> Hello Everyone, >>> >>> >>> >>> I have Apache 2.2.24 installed and I am attempting to disable compression. I am editing the httpd.conf file and adding =E2=80=98SSLCompr= ession Off=E2=80=99. When I do that, the Apache service does not start. The syst= em log does not register any meaningful error. Has anyone encountered this before= ? >>> >>> >>> >>> Thanks=E2=80=A6 >>> >>> Cathy Fauntleroy, Security+ >>> >>> Van Dyke Technology Group >>> >>> Email: cathy.fauntleroy@vdtg.com >>> >>> Office: (443) 832-4768 >>> >>> >> >> >> >> In which context are you trying to use it? Which openssl version do you use? >> >> >> >> -- >> >> Daniel Ferradal >> >> IT Specialist >> >> >> >> email dferradal@gmail.com >> >> linkedin es.linkedin.com/in/danielferradal > Yes you can use that in virtual host context. The problem is that you are trying to use cipher suites not supported by your openssl version. Check by running: openssl ciphers -v and check that the ciphers you have included in apache are in the list. I also recommend you upgrade to openssl-1.0.1 --f46d043c0848438d690511970f99 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On 19/03/2015 2:02 AM, "Daniel" <dferradal@gmail.com> wrote:
>
> There is an exception, you can only use that directive in server confi= g, that's why I asked about the context.
>
> If you set that up inside a virtualhost, it will probably will give yo= u issues.
>
> --=C2=A0
> Daniel Ferradal
> IT Specialist
>
> email =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0dferradal@gmail.com
> linkedin =C2=A0 =C2=A0=C2=A0es.linkedin.com/in/danielferradal
>
> 2015-03-16 5:48 GMT+01:00 Cathy Fauntleroy <cathy.fauntleroy@vdtg.com>:
>>
>> Daniel,
>>
>> =C2=A0
>>
>> Thanks for the response.=C2=A0 I am running OpenSSL 0.9.8.=C2=A0 I= am attempting to secure TLS compression and mitigate the CRIME vulnerabili= ty by adding the following directive to the httpd.conf file:
>>
>> =C2=A0
>>
>> Implementation on Apache HTTP Server (mod_ssl)
>>
>> The following configuration block can be used in Apache HTTP Serve= r 2.2+/2.4+ with mod_ssl. However, there is an exception of being able to t= urn off TLS/SSL Compression as this is only possible Apache HTTP Server 2.2= .24/2.4.3+ using the SSLCompression directive.
>>
>> =C2=A0
>>
>> SSLProtocol ALL -SSLv2 -SSLv3
>>
>> SSLHonorCipherOrder On
>>
>> SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AE= S128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
>>
>> SSLCompression Off
>>
>> I am
>>
>> =C2=A0
>>
>> Thanks=E2=80=A6
>>
>> Cathy Fauntleroy, Security+
>>
>> Van Dyke Technology Group
>>
>> Email:=C2=A0 cathy.fa= untleroy@vdtg.com
>>
>> Office:=C2=A0 (443) 832-4768
>>
>> =C2=A0
>>
>> From: Daniel [mailto:dferra= dal@gmail.com]
>> Sent: Saturday, March 14, 2015 7:24 PM
>> To: <users@httpd.apac= he.org>
>> Subject: Re: [users@httpd] SSL Compression
>>
>> =C2=A0
>>
>> =C2=A0
>>
>> =C2=A0
>>
>> 2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy <cathy.fauntleroy@vdtg.com>:
>>>
>>> Hello Everyone,
>>>
>>> =C2=A0
>>>
>>> I have Apache 2.2.24 installed and I am attempting to disable = compression.=C2=A0 I am editing the httpd.conf file and adding =E2=80=98SSL= Compression Off=E2=80=99.=C2=A0 When I do that, the Apache service does not= start.=C2=A0 The system log does not register any meaningful error.=C2=A0 = Has anyone encountered this before?
>>>
>>> =C2=A0
>>>
>>> Thanks=E2=80=A6
>>>
>>> Cathy Fauntleroy, Security+
>>>
>>> Van Dyke Technology Group
>>>
>>> Email:=C2=A0 cath= y.fauntleroy@vdtg.com
>>>
>>> Office:=C2=A0 (443) 832-4768
>>>
>>> =C2=A0
>>
>>
>>
>> In which context are you trying to use it? Which openssl version d= o you use?
>>
>> =C2=A0
>>
>> --
>>
>> Daniel Ferradal
>>
>> IT Specialist
>>
>> =C2=A0
>>
>> email =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0dferradal@gmail.com
>>
>> linkedin =C2=A0 =C2=A0 es.linkedin.com/in/danielferradal
>
Yes you can use that in virtual host context. The problem is that you are t= rying to use cipher suites not supported by your openssl version. Check by = running:

openssl ciphers -v

and check that the ciphers you have included in apache are i= n the list.

I also recommend you upgrade to openssl-1.0.1

--f46d043c0848438d690511970f99--