Daniel,
Thanks for the response. I am running OpenSSL 0.9.8. I am attempting to secure TLS compression and mitigate the CRIME vulnerability by adding the following directive to the httpd.conf file: Implementation on Apache HTTP Server (mod_ssl) The following configuration block can be used in Apache HTTP Server 2.2+/2.4+ with mod_ssl. However, there is an exception of being able to turn off TLS/SSL Compression as this is only possible Apache HTTP Server 2.2.24/2.4.3+ using the SSLCompression directive. SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5 SSLCompression Off I am Thanks… Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: <mailto:cathy.fauntle...@vdtg.com> cathy.fauntle...@vdtg.com Office: (443) 832-4768 From: Daniel [mailto:dferra...@gmail.com] Sent: Saturday, March 14, 2015 7:24 PM To: <users@httpd.apache.org> Subject: Re: [users@httpd] SSL Compression 2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy <cathy.fauntle...@vdtg.com <mailto:cathy.fauntle...@vdtg.com> >: Hello Everyone, I have Apache 2.2.24 installed and I am attempting to disable compression. I am editing the httpd.conf file and adding ‘SSLCompression Off’. When I do that, the Apache service does not start. The system log does not register any meaningful error. Has anyone encountered this before? Thanks… Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: cathy.fauntle...@vdtg.com <mailto:cathy.fauntle...@vdtg.com> Office: (443) 832-4768 <tel:%28443%29%20832-4768> In which context are you trying to use it? Which openssl version do you use? -- Daniel Ferradal IT Specialist email <mailto:dferra...@gmail.com> dferra...@gmail.com linkedin <http://es.linkedin.com/in/danielferradal> es.linkedin.com/in/danielferradal
