How to disable SSLCompression on Apache httpd 2.2.15? (Defense against CRIME/BEAST)
I read about the CRIME attack against TLS Compression (CVE-2012-4929, CRIME is a successor to the BEAST attack against ssl & tls), and I want to protect my webservers against this attack by disabling SSL Compression, which was added to Apache 2.2.22 (See Bug 53219).
I am running Scientific Linux 6.3, which ships with httpd-2.2.15. Security fixes for upstream versions of httpd 2.2 should be backported to this version.
# rpm -q httpd
httpd-2.2.15-15.sl6.1.x86_64
# httpd -V
Server version: Apache/2.2.15 (Unix)
Server built: Feb 14 2012 09:47:14
Server's Module Magic Number: 20051115:24
Server loaded: APR 1.3.9, APR-Util 1.3.9
Compiled using: APR 1.3.9, APR-Util 1.3.9
I tried SSLCompression off in my configuration, but that results in the following error message:
# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 147 of /etc/httpd/httpd.conf:
Invalid command 'SSLCompression', perhaps misspelled or defined by a module not included in the server configuration
[FAILED]
Is it possible to disable SSLCompression with this version of Apache Webserver?
On March 4, 2013, Red Hat provided updated OpenSSL packages which address this issue. You can receive them through your normal update channels.
The original answer was:
Red Hat has not provided an updated package which provides this functionality, though there is a workaround available. Edit the /etc/sysconfig/httpd
file and add this line to it:
export OPENSSL_NO_DEFAULT_ZLIB=1
Then restart Apache:
service httpd restart
This will cause OpenSSL, which provides crypto functions for Apache, to not offer compression.