Bug#674142: make it possible to disable ssl compression in apache2
It *IS* backported already and we *WILL* upload it as an update to
Stable. But since this is not a critical issue [1] and since uploads to
Stable are extremely sensitive it may well be we wait for another issue
we need to fix in Stable as well.
[1] it is a browser issue in reality, no really.
I cannot fully agree with this assessment. IMHO lack of option to disable
compression should be considered a critial issue, and it should be fixed
speedily at server side as well.
SSL compression is an optional feature that is only used if both the
server and client support it, and the server agrees to enabling it. Thus
the issue can be mitigated in two different ways:
- Modify the clients so that they do not report supporting compression at
client hello.
and/or:
- Fix servers so that they do not enable compression, even if the client
is advertising the support in client hello. Either remove compression
support completely or make it configurable.
The root of the problem is that current stable apache2 enables the
compression if requested by the client, and there is no way to mitigate
this issue (and the CRIME attack) from the server side.
The most efficient way of fixing this is to patch the server. While
clients may have received updates disabling the compression, no-one can
guarantee that everyone has installed those patches.
It may even be a direct security threat for the server since an attacker
may perform a targetted attack against some administrative functionality
(steal admin's session token) to gain privileged access to the server.
Another argument speaking in behalf of fixing this on the server side is
the asymmetry: There are thousands of clients per one server. Fixing the
server mitigates the issue for all of the clients (even the unpatched
ones!).
Finally, failing PCI compliance is a major issue. To quote
pcisecuritystandards.org:
But if you are not compliant, it could be disastrous:
o Compromised data negatively affects consumers, merchants, and
financial institutions
o Just one incident can severely damage your reputation and your ability
to conduct business effectively, far into the future
o Account data breaches can lead to catastrophic loss of sales,
relationships and standing in your community, and depressed share
price if yours is a public company
o Possible negative consequences also include:
- Lawsuits
- Insurance claims
- Cancelled accounts
- Payment card issuer fines
- Government fines
Strictly speaking this of course isn't Debian's problem, but nevertheless
I think it reflects poorly on Debians reputation if vendor is slow to fix
an issue that may lead to PCI complicance issues.
You're of course right in that the problem goes away if all clients have
been updated. However, I think it would be much better security
management to promptly fix it at server side as well. And it would get
all those PCI bound parties happy...
Regards,
--
l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80?
i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_4+Di++87;);puts
( Harry 'Piru' Sintonen sinto...@iki.fi http://www.iki.fi/sintonen;);}
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#674142: make it possible to disable ssl compression in apache2
Hi Arno, Thanks for your reply. I appreciate that it's a client side issue and apache is just compensating for this so the efforts are fully appreciated especially with free software. It's just unfortunate that the PCI compliance companies are treating it as a requirement that the servers should compensate for it. Out of interest, you said it is already backported? I'm using squeeze-backports but it hasn't appeared as an update? Am I doing something wrong here? James Greig
Bug#674142: make it possible to disable ssl compression in apache2
Hi, On 11/22/2012 11:12 AM, James Greig wrote: Out of interest, you said it is already backported? I'm using squeeze-backports but it hasn't appeared as an update? Am I doing something wrong here? I meant, I backported the patch in our source code repository: http://anonscm.debian.org/gitweb/?p=pkg-apache/apache2.git;a=blob;f=debian/patches/300_disable-ssl-compression.dpatch;h=fd497646c6fe675d47821f729cff8b516319c2d7;hb=refs/heads/squeeze It is not available in any package (we support) yet. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D signature.asc Description: OpenPGP digital signature
Bug#674142: make it possible to disable ssl compression in apache2
Is there any way to get a .deb of this at all or is it purely a waiting game? James Greig
Bug#674142: make it possible to disable ssl compression in apache2
Hi, I second the last message. I have a number of systems failing PCI compliance that run squeeze so would really welcome this patch to debian squeeze even if it's backported. James Greig
Bug#674142: make it possible to disable ssl compression in apache2
On 11/21/2012 10:32 AM, James Greig wrote: I second the last message. I have a number of systems failing PCI compliance that run squeeze so would really welcome this patch to debian squeeze even if it's backported. It *IS* backported already and we *WILL* upload it as an update to Stable. But since this is not a critical issue [1] and since uploads to Stable are extremely sensitive it may well be we wait for another issue we need to fix in Stable as well. [1] it is a browser issue in reality, no really. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D signature.asc Description: OpenPGP digital signature
Bug#674142: make it possible to disable ssl compression in apache2 mod_ssl
On Wednesday 06 June 2012, Arno Töll wrote: Hi, On 23.05.2012 12:17, Bjoern Jacke wrote: Please consider to add the patch from https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 to the Debian package. as you might have noticed Stefan was committing your patch upstream. Thus, it might be included in upcoming releases for the 2.4 branch and hence also in Debian. It may also be backported to the 2.2 series, but chances are this comes too late for Wheezy. I personally wouldn't mind to include it for Wheezy as a Debian patch, but I'd let that up to Stefan to decide as there are some more changes in trunk which could be included into Wheezy if we're freezing before 2.2.23 is released. I don't like to add config directives that are not in an upstream release (or at least have been committed to the upstream stable branch). If the upstream syntax changes until it is released, the mismatch creates a headache for supporters. Unfortunately, there is currently not much momentum at upstream for 2.2.23. Maybe it is possible to get this even in Squeeze as it doesn't change any default setting? I don't think so. Whether or not this is changing the default behavior, it is still an invasive change we are not considering for a stable release. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#674142: make it possible to disable ssl compression in apache2 mod_ssl
Hi, On 23.05.2012 12:17, Bjoern Jacke wrote: Please consider to add the patch from https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 to the Debian package. as you might have noticed Stefan was committing your patch upstream. Thus, it might be included in upcoming releases for the 2.4 branch and hence also in Debian. It may also be backported to the 2.2 series, but chances are this comes too late for Wheezy. I personally wouldn't mind to include it for Wheezy as a Debian patch, but I'd let that up to Stefan to decide as there are some more changes in trunk which could be included into Wheezy if we're freezing before 2.2.23 is released. Maybe it is possible to get this even in Squeeze as it doesn't change any default setting? I don't think so. Whether or not this is changing the default behavior, it is still an invasive change we are not considering for a stable release. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D signature.asc Description: OpenPGP digital signature
Bug#674142: make it possible to disable ssl compression in apache2 mod_ssl
Package: apache2 Version: 2.2.16 Owner: debian-apa...@lists.debian.org Some browsers like Chrome/Chromium but also cmdline clients using openssl like wget support ssl compression. This is a big problem for ssl enabled servers when they offer big files. Pulling for example a (already compressed) 100MB file via such a browser using https the ssl compression eats up CPU time significantly. The overall performance of the server will also go down. Multiple clients make it even worse. It should be possible to disable ssl compression in mod_ssl to solve this issue. Please consider to add the patch from https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 to the Debian package. It adds the parameter SSLCompression On/Off which allows to disable the ssl compression. Maybe it is possible to get this even in Squeeze as it doesn't change any default setting? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
