Bug#674142: make it possible to disable ssl compression in apache2
It *IS* backported already and we *WILL* upload it as an update to Stable. But since this is not a critical issue [1] and since uploads to Stable are extremely sensitive it may well be we wait for another issue we need to fix in Stable as well. [1] it is a browser issue in reality, no really. I cannot fully agree with this assessment. IMHO lack of option to disable compression should be considered a critial issue, and it should be fixed speedily at server side as well. SSL compression is an optional feature that is only used if both the server and client support it, and the server agrees to enabling it. Thus the issue can be mitigated in two different ways: - Modify the clients so that they do not report supporting compression at client hello. and/or: - Fix servers so that they do not enable compression, even if the client is advertising the support in client hello. Either remove compression support completely or make it configurable. The root of the problem is that current stable apache2 enables the compression if requested by the client, and there is no way to mitigate this issue (and the CRIME attack) from the server side. The most efficient way of fixing this is to patch the server. While clients may have received updates disabling the compression, no-one can guarantee that everyone has installed those patches. It may even be a direct security threat for the server since an attacker may perform a targetted attack against some administrative functionality (steal admin's session token) to gain privileged access to the server. Another argument speaking in behalf of fixing this on the server side is the asymmetry: There are thousands of clients per one server. Fixing the server mitigates the issue for all of the clients (even the unpatched ones!). Finally, failing PCI compliance is a major issue. To quote pcisecuritystandards.org: But if you are not compliant, it could be disastrous: o Compromised data negatively affects consumers, merchants, and financial institutions o Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future o Account data breaches can lead to catastrophic loss of sales, relationships and standing in your community, and depressed share price if yours is a public company o Possible negative consequences also include: - Lawsuits - Insurance claims - Cancelled accounts - Payment card issuer fines - Government fines Strictly speaking this of course isn't Debian's problem, but nevertheless I think it reflects poorly on Debians reputation if vendor is slow to fix an issue that may lead to PCI complicance issues. You're of course right in that the problem goes away if all clients have been updated. However, I think it would be much better security management to promptly fix it at server side as well. And it would get all those PCI bound parties happy... Regards, -- l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80? i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_4+Di++87;);puts ( Harry 'Piru' Sintonen sinto...@iki.fi http://www.iki.fi/sintonen;);} -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#674142: make it possible to disable ssl compression in apache2
Hi Arno, Thanks for your reply. I appreciate that it's a client side issue and apache is just compensating for this so the efforts are fully appreciated especially with free software. It's just unfortunate that the PCI compliance companies are treating it as a requirement that the servers should compensate for it. Out of interest, you said it is already backported? I'm using squeeze-backports but it hasn't appeared as an update? Am I doing something wrong here? James Greig
Bug#674142: make it possible to disable ssl compression in apache2
Hi, On 11/22/2012 11:12 AM, James Greig wrote: Out of interest, you said it is already backported? I'm using squeeze-backports but it hasn't appeared as an update? Am I doing something wrong here? I meant, I backported the patch in our source code repository: http://anonscm.debian.org/gitweb/?p=pkg-apache/apache2.git;a=blob;f=debian/patches/300_disable-ssl-compression.dpatch;h=fd497646c6fe675d47821f729cff8b516319c2d7;hb=refs/heads/squeeze It is not available in any package (we support) yet. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D signature.asc Description: OpenPGP digital signature
Bug#674142: make it possible to disable ssl compression in apache2
Is there any way to get a .deb of this at all or is it purely a waiting game? James Greig
Bug#674142: make it possible to disable ssl compression in apache2
Hi, I second the last message. I have a number of systems failing PCI compliance that run squeeze so would really welcome this patch to debian squeeze even if it's backported. James Greig
Bug#674142: make it possible to disable ssl compression in apache2
On 11/21/2012 10:32 AM, James Greig wrote: I second the last message. I have a number of systems failing PCI compliance that run squeeze so would really welcome this patch to debian squeeze even if it's backported. It *IS* backported already and we *WILL* upload it as an update to Stable. But since this is not a critical issue [1] and since uploads to Stable are extremely sensitive it may well be we wait for another issue we need to fix in Stable as well. [1] it is a browser issue in reality, no really. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D signature.asc Description: OpenPGP digital signature
Bug#674142: make it possible to disable ssl compression in apache2 mod_ssl
On Wednesday 06 June 2012, Arno Töll wrote: Hi, On 23.05.2012 12:17, Bjoern Jacke wrote: Please consider to add the patch from https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 to the Debian package. as you might have noticed Stefan was committing your patch upstream. Thus, it might be included in upcoming releases for the 2.4 branch and hence also in Debian. It may also be backported to the 2.2 series, but chances are this comes too late for Wheezy. I personally wouldn't mind to include it for Wheezy as a Debian patch, but I'd let that up to Stefan to decide as there are some more changes in trunk which could be included into Wheezy if we're freezing before 2.2.23 is released. I don't like to add config directives that are not in an upstream release (or at least have been committed to the upstream stable branch). If the upstream syntax changes until it is released, the mismatch creates a headache for supporters. Unfortunately, there is currently not much momentum at upstream for 2.2.23. Maybe it is possible to get this even in Squeeze as it doesn't change any default setting? I don't think so. Whether or not this is changing the default behavior, it is still an invasive change we are not considering for a stable release. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#674142: make it possible to disable ssl compression in apache2 mod_ssl
Hi, On 23.05.2012 12:17, Bjoern Jacke wrote: Please consider to add the patch from https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 to the Debian package. as you might have noticed Stefan was committing your patch upstream. Thus, it might be included in upcoming releases for the 2.4 branch and hence also in Debian. It may also be backported to the 2.2 series, but chances are this comes too late for Wheezy. I personally wouldn't mind to include it for Wheezy as a Debian patch, but I'd let that up to Stefan to decide as there are some more changes in trunk which could be included into Wheezy if we're freezing before 2.2.23 is released. Maybe it is possible to get this even in Squeeze as it doesn't change any default setting? I don't think so. Whether or not this is changing the default behavior, it is still an invasive change we are not considering for a stable release. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D signature.asc Description: OpenPGP digital signature
Bug#674142: make it possible to disable ssl compression in apache2 mod_ssl
Package: apache2 Version: 2.2.16 Owner: debian-apa...@lists.debian.org Some browsers like Chrome/Chromium but also cmdline clients using openssl like wget support ssl compression. This is a big problem for ssl enabled servers when they offer big files. Pulling for example a (already compressed) 100MB file via such a browser using https the ssl compression eats up CPU time significantly. The overall performance of the server will also go down. Multiple clients make it even worse. It should be possible to disable ssl compression in mod_ssl to solve this issue. Please consider to add the patch from https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 to the Debian package. It adds the parameter SSLCompression On/Off which allows to disable the ssl compression. Maybe it is possible to get this even in Squeeze as it doesn't change any default setting? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org