How can we mitigate CVE-2012-4929 SSL/TLS CRIME attack against HTTPS in Red Hat Enterprise Linux 5 or 6
httpd
refuses to start whenSSLCompression on
is used in/etc/httpd/conf.d/ssl.conf
- How can we mitigate CVE-2012-4929 SSL/TLS CRIME attack against HTTPS in Red Hat Enterprise Linux 5 or 6 on httpd and mod_ssl?
will focus only on fixing the problem. On RHEL server 5.x and 6.x the easy way is to simply disable SSL compression.
In newer Apache versions this can be done using the cmd: “SSLCompression off”
But in RHEL this will not work and you will get the following error
“Invalid command ‘SSLCompression’, perhaps misspelled or defined by a module not included in the server configuration”
As described in RHEL support site the way to do is:
Add the following to “export OPENSSL_NO_DEFAULT_ZLIB=1? /etc/sysconfig/httpd and then restart the service, like:
export OPENSSL_NO_DEFAULT_ZLIB=1
# echo “export OPENSSL_NO_DEFAULT_ZLIB=1? >> /etc/sysconfig/httpd
# service httpd restart
openssl s_client -connect localhost:443
.
-bash-4.1# openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=0 C = –, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = mohan111, emailAddress = root@mohan111
verify error:num=18:self signed certificate
verify return:1
depth=0 C = –, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = mohan111, emailAddress = root@mohan111
verify return:1
—
Certificate chain
0 s:/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=mohan111/emailAddress=root@mohan111
i:/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=mohan111/emailAddress=root@mohan111
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIDCzCCAnSgAwIBAgICRhAwDQYJKoZIhvcNAQEFBQAwgaExCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MREwDwYDVQQDDAh0YWdpdDExMTEcMBoGCSqGSIb3DQEJARYNcm9vdEB0YWdp
dDExMTAeFw0xMzEwMTcxMzA1NTBaFw0xNDEwMTcxMzA1NTBaMIGhMQswCQYDVQQG
EwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZMBcG
A1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXphdGlv
bmFsVW5pdDERMA8GA1UEAwwIdGFnaXQxMTExHDAaBgkqhkiG9w0BCQEWDXJvb3RA
dGFnaXQxMTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJvMjBwCChoJH74j
dPECdB+saT/HqMtRP7w2cGi/G+7/VmNfFMLN3VqDMuUiAwXBSMrhDDhBO69+aMvj
oZHupGgVLTAzRJa9uP9PquFfjOuxEUvnKzlg0gwCqWH06GCu0ZcooIsduTRLOE9X
tbSgN2snQ00XEV1Xl9niWgvKFUnxAgMBAAGjUDBOMB0GA1UdDgQWBBQpJ2Y+9O+d
knVbGpff1za/RE6ngzAfBgNVHSMEGDAWgBQpJ2Y+9O+dknVbGpff1za/RE6ngzAM
BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAHp1LU5VuP/b4euNRJdvK0eu
vxi8STrqmUOuQ90v1jZgqMaLT1/tQ/5+h2E5gUDL4pdi7IoTldB3xBcfR8vvnfgC
cOvRmqIyUFgDeULFNk+lcFq0FdDIm/AbZxAT5hlQZU5EQUfkws5qerwmOlp9Gs2n
WPmDOjcmvTWsrSevbyQU
—–END CERTIFICATE—–
subject=/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=mohan111/emailAddress=root@mohan111
issuer=/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=mohan111/emailAddress=root@mohan111
—
No client certificate CA names sent
—
SSL handshake has read 1533 bytes and written 310 bytes
—
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 11311947FC0F863B4646C035BFB7E84BBDE6E263B43D50318E253FDDF970F9C1
Session-ID-ctx:
Master-Key: 3C4E725A784B5412E40F9502159639C73611DCD3A5515F6E3132545458F0032A1812FA563BAEC15CF24689577C128B76
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 – 91 88 07 7a aa ac 4e c5-9c a5 21 7d a3 d6 fc d9 …z..N…!}….
0010 – 90 3e bd 2d a3 c3 3b 1d-98 10 30 32 d9 27 46 8e .>.-..;…02.’F.
0020 – 18 77 d5 31 41 d0 9f c5-21 6b 37 92 32 fb d0 7b .w.1A…!k7.2..{
0030 – 63 f7 5a 1c d3 24 92 f7-1c 3f 35 f2 a3 04 75 87 c.Z..$…?5…u.
0040 – 68 eb 01 06 62 18 26 1e-83 f0 4a e6 f1 bb 12 cc h…b.&…J…..
0050 – f0 35 e8 fa ee 50 c0 0c-4f 6e a7 c4 e2 10 27 ee .5…P..On….’.
0060 – 66 4b 7c bf 96 36 a9 c4-90 3c 62 f5 96 d9 ca d6 fK|..6…<b…..
0070 – 7a 33 b5 d4 2d ec fd 89-58 61 de cb d0 b0 8a ec z3..-…Xa……
0080 – d2 a6 14 de 92 8a 58 9f-d4 71 e4 95 c7 9c 94 09 ……X..q……
0090 – 65 a1 b6 7c a2 93 b4 60-00 d6 da 81 ea 0a 6d 48 e..|…`……mH
00a0 – ff 51 d1 94 b3 66 7d 7a-28 5c a4 7a c3 74 61 1b .Q…f}z(\.z.ta.
00b0 – d5 61 52 06 10 f3 c4 a8-13 eb 3c 35 e3 44 56 5c .aR…….<5.DV\
Start Time: 1382016174
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
Recent Comments