{"id":2538,"date":"2013-10-17T21:23:20","date_gmt":"2013-10-17T13:23:20","guid":{"rendered":"http:\/\/rmohan.com\/?p=2538"},"modified":"2013-10-17T21:25:15","modified_gmt":"2013-10-17T13:25:15","slug":"how-to-fix-mod_ssl-crime-attack","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=2538","title":{"rendered":"How to fix mod_ssl CRIME  CVE-2012-4929 SSL\/TLS CRIME"},"content":{"rendered":"<h1 id=\"page-title\">How can we mitigate CVE-2012-4929 SSL\/TLS CRIME attack against HTTPS in Red Hat Enterprise Linux 5 or 6<\/h1>\n<div>\n<div id=\"article-content\">\n<ul>\n<li><code>httpd<\/code> refuses to start when <code>SSLCompression on<\/code> is used in <code>\/etc\/httpd\/conf.d\/ssl.conf<\/code><\/li>\n<li>How can we mitigate CVE-2012-4929 SSL\/TLS CRIME attack against HTTPS in Red Hat Enterprise Linux 5 or 6 on httpd and mod_ssl?<\/li>\n<\/ul>\n<p>will focus only on fixing the problem. On RHEL server 5.x and 6.x the easy way is to simply disable SSL compression.<br \/>\nIn newer Apache versions this can be done using the cmd: \u201cSSLCompression off\u201d<\/p>\n<p>But in RHEL this will not work and you will get the following error<br \/>\n\u201cInvalid command \u2018SSLCompression\u2019, perhaps misspelled or defined by a module not included in the server configuration\u201d<\/p>\n<p>As described in <a href=\"https:\/\/access.redhat.com\/site\/solutions\/255473\" target=\"_blank\">RHEL support site<\/a> the way to do is:<\/p>\n<p>Add the following to \u201cexport OPENSSL_NO_DEFAULT_ZLIB=1? \/etc\/sysconfig\/httpd and then restart the service, like:<\/p>\n<pre><code>export OPENSSL_NO_DEFAULT_ZLIB=1<\/code><\/pre>\n<p><strong># echo \u201cexport OPENSSL_NO_DEFAULT_ZLIB=1? &gt;&gt; \/etc\/sysconfig\/httpd<br \/>\n# service httpd restart<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>openssl s_client -connect localhost:443<\/p>\n<p>.<br \/>\n-bash-4.1# openssl s_client -connect localhost:443<br \/>\nCONNECTED(00000003)<br \/>\ndepth=0 C = &#8211;, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = mohan111, emailAddress = root@mohan111<br \/>\nverify error:num=18:self signed certificate<br \/>\nverify return:1<br \/>\ndepth=0 C = &#8211;, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = mohan111, emailAddress = root@mohan111<br \/>\nverify return:1<br \/>\n&#8212;<br \/>\nCertificate chain<br \/>\n0 s:\/C=&#8211;\/ST=SomeState\/L=SomeCity\/O=SomeOrganization\/OU=SomeOrganizationalUnit\/CN=mohan111\/emailAddress=root@mohan111<br \/>\ni:\/C=&#8211;\/ST=SomeState\/L=SomeCity\/O=SomeOrganization\/OU=SomeOrganizationalUnit\/CN=mohan111\/emailAddress=root@mohan111<br \/>\n&#8212;<br \/>\nServer certificate<br \/>\n&#8212;&#8211;BEGIN CERTIFICATE&#8212;&#8211;<br \/>\nMIIDCzCCAnSgAwIBAgICRhAwDQYJKoZIhvcNAQEFBQAwgaExCzAJBgNVBAYTAi0t<br \/>\nMRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK<br \/>\nDBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV<br \/>\nbml0MREwDwYDVQQDDAh0YWdpdDExMTEcMBoGCSqGSIb3DQEJARYNcm9vdEB0YWdp<br \/>\ndDExMTAeFw0xMzEwMTcxMzA1NTBaFw0xNDEwMTcxMzA1NTBaMIGhMQswCQYDVQQG<br \/>\nEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZMBcG<br \/>\nA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXphdGlv<br \/>\nbmFsVW5pdDERMA8GA1UEAwwIdGFnaXQxMTExHDAaBgkqhkiG9w0BCQEWDXJvb3RA<br \/>\ndGFnaXQxMTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJvMjBwCChoJH74j<br \/>\ndPECdB+saT\/HqMtRP7w2cGi\/G+7\/VmNfFMLN3VqDMuUiAwXBSMrhDDhBO69+aMvj<br \/>\noZHupGgVLTAzRJa9uP9PquFfjOuxEUvnKzlg0gwCqWH06GCu0ZcooIsduTRLOE9X<br \/>\ntbSgN2snQ00XEV1Xl9niWgvKFUnxAgMBAAGjUDBOMB0GA1UdDgQWBBQpJ2Y+9O+d<br \/>\nknVbGpff1za\/RE6ngzAfBgNVHSMEGDAWgBQpJ2Y+9O+dknVbGpff1za\/RE6ngzAM<br \/>\nBgNVHRMEBTADAQH\/MA0GCSqGSIb3DQEBBQUAA4GBAHp1LU5VuP\/b4euNRJdvK0eu<br \/>\nvxi8STrqmUOuQ90v1jZgqMaLT1\/tQ\/5+h2E5gUDL4pdi7IoTldB3xBcfR8vvnfgC<br \/>\ncOvRmqIyUFgDeULFNk+lcFq0FdDIm\/AbZxAT5hlQZU5EQUfkws5qerwmOlp9Gs2n<br \/>\nWPmDOjcmvTWsrSevbyQU<br \/>\n&#8212;&#8211;END CERTIFICATE&#8212;&#8211;<br \/>\nsubject=\/C=&#8211;\/ST=SomeState\/L=SomeCity\/O=SomeOrganization\/OU=SomeOrganizationalUnit\/CN=mohan111\/emailAddress=root@mohan111<br \/>\nissuer=\/C=&#8211;\/ST=SomeState\/L=SomeCity\/O=SomeOrganization\/OU=SomeOrganizationalUnit\/CN=mohan111\/emailAddress=root@mohan111<br \/>\n&#8212;<br \/>\nNo client certificate CA names sent<br \/>\n&#8212;<br \/>\nSSL handshake has read 1533 bytes and written 310 bytes<br \/>\n&#8212;<br \/>\nNew, TLSv1\/SSLv3, Cipher is DHE-RSA-AES256-SHA<br \/>\nServer public key is 1024 bit<br \/>\nSecure Renegotiation IS supported<br \/>\n<strong>Compression: NONE<\/strong><br \/>\n<strong>Expansion: NONE<\/strong><br \/>\nSSL-Session:<br \/>\nProtocol\u00a0 : TLSv1<br \/>\nCipher\u00a0\u00a0\u00a0 : DHE-RSA-AES256-SHA<br \/>\nSession-ID: 11311947FC0F863B4646C035BFB7E84BBDE6E263B43D50318E253FDDF970F9C1<br \/>\nSession-ID-ctx:<br \/>\nMaster-Key: 3C4E725A784B5412E40F9502159639C73611DCD3A5515F6E3132545458F0032A1812FA563BAEC15CF24689577C128B76<br \/>\nKey-Arg\u00a0\u00a0 : None<br \/>\nKrb5 Principal: None<br \/>\nPSK identity: None<br \/>\nPSK identity hint: None<br \/>\nTLS session ticket:<br \/>\n0000 &#8211; 91 88 07 7a aa ac 4e c5-9c a5 21 7d a3 d6 fc d9\u00a0\u00a0 &#8230;z..N&#8230;!}&#8230;.<br \/>\n0010 &#8211; 90 3e bd 2d a3 c3 3b 1d-98 10 30 32 d9 27 46 8e\u00a0\u00a0 .&gt;.-..;&#8230;02.&#8217;F.<br \/>\n0020 &#8211; 18 77 d5 31 41 d0 9f c5-21 6b 37 92 32 fb d0 7b\u00a0\u00a0 .w.1A&#8230;!k7.2..{<br \/>\n0030 &#8211; 63 f7 5a 1c d3 24 92 f7-1c 3f 35 f2 a3 04 75 87\u00a0\u00a0 c.Z..$&#8230;?5&#8230;u.<br \/>\n0040 &#8211; 68 eb 01 06 62 18 26 1e-83 f0 4a e6 f1 bb 12 cc\u00a0\u00a0 h&#8230;b.&amp;&#8230;J&#8230;..<br \/>\n0050 &#8211; f0 35 e8 fa ee 50 c0 0c-4f 6e a7 c4 e2 10 27 ee\u00a0\u00a0 .5&#8230;P..On&#8230;.&#8217;.<br \/>\n0060 &#8211; 66 4b 7c bf 96 36 a9 c4-90 3c 62 f5 96 d9 ca d6\u00a0\u00a0 fK|..6&#8230;&lt;b&#8230;..<br \/>\n0070 &#8211; 7a 33 b5 d4 2d ec fd 89-58 61 de cb d0 b0 8a ec\u00a0\u00a0 z3..-&#8230;Xa&#8230;&#8230;<br \/>\n0080 &#8211; d2 a6 14 de 92 8a 58 9f-d4 71 e4 95 c7 9c 94 09\u00a0\u00a0 &#8230;&#8230;X..q&#8230;&#8230;<br \/>\n0090 &#8211; 65 a1 b6 7c a2 93 b4 60-00 d6 da 81 ea 0a 6d 48\u00a0\u00a0 e..|&#8230;`&#8230;&#8230;mH<br \/>\n00a0 &#8211; ff 51 d1 94 b3 66 7d 7a-28 5c a4 7a c3 74 61 1b\u00a0\u00a0 .Q&#8230;f}z(\\.z.ta.<br \/>\n00b0 &#8211; d5 61 52 06 10 f3 c4 a8-13 eb 3c 35 e3 44 56 5c\u00a0\u00a0 .aR&#8230;&#8230;.&lt;5.DV\\<\/p>\n<p>Start Time: 1382016174<br \/>\nTimeout\u00a0\u00a0 : 300 (sec)<br \/>\nVerify return code: 18 (self signed certificate)<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>How can we mitigate CVE-2012-4929 SSL\/TLS CRIME attack against HTTPS in Red Hat Enterprise Linux 5 or 6 httpd refuses to start when SSLCompression on is used in \/etc\/httpd\/conf.d\/ssl.conf How can we mitigate CVE-2012-4929 SSL\/TLS CRIME attack against HTTPS in Red Hat Enterprise Linux 5 or 6 on httpd and mod_ssl? <\/p>\n<p>will focus only on [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2538"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2538"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2538\/revisions"}],"predecessor-version":[{"id":2541,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2538\/revisions\/2541"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2538"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}