Igor,
Great information. I appreciate it! Thanks… Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: <mailto:cathy.fauntle...@vdtg.com> cathy.fauntle...@vdtg.com Office: (443) 832-4768 From: Igor Cicimov [mailto:icici...@gmail.com] Sent: Wednesday, March 18, 2015 5:50 PM To: users Subject: Re: [users@httpd] SSL Compression On 19/03/2015 2:02 AM, "Daniel" <dferra...@gmail.com <mailto:dferra...@gmail.com> > wrote: > > There is an exception, you can only use that directive in server config, > that's why I asked about the context. > > If you set that up inside a virtualhost, it will probably will give you > issues. > > -- > Daniel Ferradal > IT Specialist > > email dferra...@gmail.com <mailto:dferra...@gmail.com> > linkedin es.linkedin.com/in/danielferradal > <http://es.linkedin.com/in/danielferradal> > > 2015-03-16 5:48 GMT+01:00 Cathy Fauntleroy <cathy.fauntle...@vdtg.com > <mailto:cathy.fauntle...@vdtg.com> >: >> >> Daniel, >> >> >> >> Thanks for the response. I am running OpenSSL 0.9.8. I am attempting to >> secure TLS compression and mitigate the CRIME vulnerability by adding the >> following directive to the httpd.conf file: >> >> >> >> Implementation on Apache HTTP Server (mod_ssl) >> >> The following configuration block can be used in Apache HTTP Server >> 2.2+/2.4+ with mod_ssl. However, there is an exception of being able to turn >> off TLS/SSL Compression as this is only possible Apache HTTP Server >> 2.2.24/2.4.3+ using the SSLCompression directive. >> >> >> >> SSLProtocol ALL -SSLv2 -SSLv3 >> >> SSLHonorCipherOrder On >> >> SSLCipherSuite >> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5 >> >> SSLCompression Off >> >> I am >> >> >> >> Thanks… >> >> Cathy Fauntleroy, Security+ >> >> Van Dyke Technology Group >> >> Email: cathy.fauntle...@vdtg.com <mailto:cathy.fauntle...@vdtg.com> >> >> Office: (443) 832-4768 >> >> >> >> From: Daniel [mailto:dferra...@gmail.com <mailto:dferra...@gmail.com> ] >> Sent: Saturday, March 14, 2015 7:24 PM >> To: <users@httpd.apache.org <mailto:users@httpd.apache.org> > >> Subject: Re: [users@httpd] SSL Compression >> >> >> >> >> >> >> >> 2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy <cathy.fauntle...@vdtg.com >> <mailto:cathy.fauntle...@vdtg.com> >: >>> >>> Hello Everyone, >>> >>> >>> >>> I have Apache 2.2.24 installed and I am attempting to disable compression. >>> I am editing the httpd.conf file and adding ‘SSLCompression Off’. When I >>> do that, the Apache service does not start. The system log does not >>> register any meaningful error. Has anyone encountered this before? >>> >>> >>> >>> Thanks… >>> >>> Cathy Fauntleroy, Security+ >>> >>> Van Dyke Technology Group >>> >>> Email: cathy.fauntle...@vdtg.com <mailto:cathy.fauntle...@vdtg.com> >>> >>> Office: (443) 832-4768 >>> >>> >> >> >> >> In which context are you trying to use it? Which openssl version do you use? >> >> >> >> -- >> >> Daniel Ferradal >> >> IT Specialist >> >> >> >> email dferra...@gmail.com <mailto:dferra...@gmail.com> >> >> linkedin es.linkedin.com/in/danielferradal >> <http://es.linkedin.com/in/danielferradal> > Yes you can use that in virtual host context. The problem is that you are trying to use cipher suites not supported by your openssl version. Check by running: openssl ciphers -v and check that the ciphers you have included in apache are in the list. I also recommend you upgrade to openssl-1.0.1
