Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: openSUSE 12.2 apache TLS / CRIME

  1. #1

    Default openSUSE 12.2 apache TLS / CRIME

    Hello,

    I'm using openSUSE 12.2 with apache 2.2.22 (all patches installed). There has been no back-port to use

    SSL_COMPRESSION=off

    in /etc/apache2/httpd.conf. I've tried adding

    export OPENSSL_NO_DEFAULT_ZLIB=1

    to /etc/sysconfig/apache2, but that too does not disable compression when using the TLS protocol. Thus the webserver is still vulnerable to the CRIME attack.

    Is there any way to disable compression for TLS when using apache 2.2.22 and openSUSE 12.2?

    Thanks

    Paul

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: openSUSE 12.2 apache TLS / CRIME

    On 2013-03-27 00:06, paul pech wrote:
    > Thus the webserver is still vulnerable to
    > the CRIME attack.


    I know nothing about that, but if you think that openSUSE's apache is
    vulnerable to some attack, there are two places to report: one is the
    security mail list, and another is bugzilla.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

  3. #3

    Default Re: openSUSE 12.2 apache TLS / CRIME

    CRIME is nothing really new:

    CRIME (security exploit) - Wikipedia, the free encyclopedia

    For Red Hat it has been discussed here:

    apache2 - How to disable SSLCompression on Apache httpd 2.2.15? (Defense against CRIME/BEAST) - Server Fault

    You can tell whether your (local) webserver supports Zlib SSL/TLS compression by

    echo -n | openssl s_client -connect localhost:443 | grep -E "(Compression|Expansion).*"

    I'm wondering why the proposed workaround (adding "export OPENSSL_NO_DEFAULT_ZLIB=1" to /etc/sysconfig/apache2) does not work with openSUSE.

    --
    Thanks

    Paul

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    13,308
    Blog Entries
    3

    Default Re: openSUSE 12.2 apache TLS / CRIME

    Quote Originally Posted by paul_pech View Post
    I'm wondering why the proposed workaround (adding "export OPENSSL_NO_DEFAULT_ZLIB=1" to /etc/sysconfig/apache2) does not work with openSUSE.
    It might be a "systemd" kind of thing. Perhaps when "systemd" starts apache, it does not use that sysconfig file.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  5. #5

    Default Re: openSUSE 12.2 apache TLS / CRIME

    I don't think it's systemd or sysv.

    All the APACHE_MODULES are listed in that file and changes there take effect.

  6. #6
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: openSUSE 12.2 apache TLS / CRIME

    On 2013-03-27 01:36, paul pech wrote:
    >
    > CRIME is nothing really new:


    Yes, I just had a look at the wikipedia after reading your post :-)

    > You can tell whether your (local) webserver supports Zlib SSL/TLS
    > compression by


    One detail: Please use code tags for printouts and commands. Advanced
    editor, '#' button.
    Posting in
    Code Tags - A Guide


    :-)

    Code:
    
    > cer@Telcontar:~> echo -n | openssl s_client -connect localhost:443 | grep -E "(Compression|Expansion).*"
    > connect: Connection refused
    > connect:errno=111
    > cer@Telcontar:~>
    which is not surprising because I haven't bothered to enable ssl :-)


    > I'm wondering why the proposed workaround (adding "export
    > OPENSSL_NO_DEFAULT_ZLIB=1" to /etc/sysconfig/apache2) does not work with
    > openSUSE.


    I don't know, but my initial recommendation still holds, because that
    way you reach the people in charge of security issues and can tell you
    an authoritative answer.

    In fact, a quick search found me two reports:

    Bug 793420 - VUL-1: CVE-2012-4929: apache2: CRIME attack
    Bug 779952 - VUL-0: CVE-2012-4929: openssl: CRIME attack

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

  7. #7

    Default Re: openSUSE 12.2 apache TLS / CRIME

    paul pech wrote:
    > I'm wondering why the proposed workaround (adding "export
    > OPENSSL_NO_DEFAULT_ZLIB=1" to /etc/sysconfig/apache2) does not work with
    > openSUSE.


    As Carlos said, you're better off asking questions like this on the
    security list and in bugzilla

  8. #8

    Default Re: openSUSE 12.2 apache TLS / CRIME

    Thanks Carlos for pointing me in the right direction;

    https://bugzilla.novell.com/show_bug.cgi?id=779952

    As it seems, a patch is available today for SLE and they're considering it for openSUSE, too. I hope it makes its way there.

    I'll ask questions like this on the security mailing list from now on. Anyways, thanks for the replies.


    --
    Yours

    Paul

  9. #9
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: openSUSE 12.2 apache TLS / CRIME

    On 2013-03-27 13:56, paul pech wrote:
    >
    > Thanks Carlos for pointing me in the right direction;
    >
    > https://bugzilla.novell.com/show_bug.cgi?id=779952
    >
    > As it seems, a patch is available today for SLE and they're considering
    > it for openSUSE, too. I hope it makes its way there.


    Yes.

    But I wonder why if the vulnerability has been known for a year why it
    took so long to create a patch...

    > I'll ask questions like this on the security mailing list from now on.
    > Anyways, thanks for the replies.


    Welcome :-)


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

  10. #10
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    12,004
    Blog Entries
    2

    Default Re: openSUSE 12.2 apache TLS / CRIME

    CRIME and BEAST patch should be available soon, seems patch was contrib upstream 3/3/2013
    https://www.isecpartners.com/news-ev...me-attack.aspx
    https://issues.apache.org/bugzilla/s...g.cgi?id=53219

    According to the article, although you can do due diligence patching server-side, the most practical immediate solution is to just ensure the client web browsers are patched to latest, apparently all have been patched (see list in isecpartners link). If you want to enforce client browser versions, only requires a little javascript in the page's head.

    It also looks like you an also upgrade to Apache 2.4 which does allow SSL compression configuration, but for 2.2 there is no User accessible config unless you're willin to tear into the C code.

    TSU

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •