Hi, Some of you have heard of CRIME, probably.
from https://bugzilla.redhat.com/show_bug.cgi?id=857051
Adding the following line to the /etc/sysconfig/httpd file:
export OPENSSL_NO_DEFAULT_ZLIB=1
But there are other services but http that use ssl and are vulnerable? What is the optimal place for setting this environment variable system wide?
I tried to set it in /etc/profile.d/CRIME.sh /etc/bashrc without success.
Am 24.09.2012 um 13:07 schrieb Markus Falb:
Hi, Some of you have heard of CRIME, probably.
from https://bugzilla.redhat.com/show_bug.cgi?id=857051
Adding the following line to the /etc/sysconfig/httpd file:
export OPENSSL_NO_DEFAULT_ZLIB=1
But there are other services but http that use ssl and are vulnerable? What is the optimal place for setting this environment variable system wide?
I tried to set it in /etc/profile.d/CRIME.sh /etc/bashrc without success.
the corresponding patch mentioned in the bz above could be adapted and the openssl package recompiled.
-- LF
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Markus Falb Sent: Monday, September 24, 2012 7:07 AM To: centos@centos.org Subject: [CentOS] SSL CRIME
Hi, Some of you have heard of CRIME, probably.
from https://bugzilla.redhat.com/show_bug.cgi?id=857051
Adding the following line to the /etc/sysconfig/httpd file:
export OPENSSL_NO_DEFAULT_ZLIB=1
But there are other services but http that use ssl and are vulnerable? What is the optimal place for setting this environment variable system wide?
I tried to set it in /etc/profile.d/CRIME.sh /etc/bashrc without success.
What about placing it in the /etc/rc.d/rc.local file?
Al McCann --- My computer was sold to me by Mad Man Muntz.
On 24.9.2012 22:26, Albert McCann wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Markus Falb Sent: Monday, September 24, 2012 7:07 AM To: centos@centos.org Subject: [CentOS] SSL CRIME
Hi, Some of you have heard of CRIME, probably.
from https://bugzilla.redhat.com/show_bug.cgi?id=857051
Adding the following line to the /etc/sysconfig/httpd file:
export OPENSSL_NO_DEFAULT_ZLIB=1
But there are other services but http that use ssl and are vulnerable? What is the optimal place for setting this environment variable system wide?
I tried to set it in /etc/profile.d/CRIME.sh /etc/bashrc without success.
What about placing it in the /etc/rc.d/rc.local file?
$ ls -l /etc/rc3.d/S99local lrwxrwxrwx. 1 root root 11 18. Sep 09:08 /etc/rc3.d/S99local -> ../rc.local
It is too late, isn't it?
On 09/24/2012 06:07 AM, Markus Falb wrote:
Hi, Some of you have heard of CRIME, probably.
from https://bugzilla.redhat.com/show_bug.cgi?id=857051
Adding the following line to the /etc/sysconfig/httpd file:
export OPENSSL_NO_DEFAULT_ZLIB=1
But there are other services but http that use ssl and are vulnerable? What is the optimal place for setting this environment variable system wide?
I tried to set it in /etc/profile.d/CRIME.sh /etc/bashrc without success.
The setting only matters if programs look for it and do something with it ... so you would need to set it for the user that starts whatever service you are trying to protect, if that daemon actually uses the variable.
Just because a variable does something in httpd, that does not mean the same variable means the same thing to sshd or any other daemon.
Am 24.09.2012 um 23:49 schrieb Johnny Hughes:
On 09/24/2012 06:07 AM, Markus Falb wrote:
Hi, Some of you have heard of CRIME, probably.
from https://bugzilla.redhat.com/show_bug.cgi?id=857051
Adding the following line to the /etc/sysconfig/httpd file:
export OPENSSL_NO_DEFAULT_ZLIB=1
But there are other services but http that use ssl and are vulnerable? What is the optimal place for setting this environment variable system wide?
I tried to set it in /etc/profile.d/CRIME.sh /etc/bashrc without success.
The setting only matters if programs look for it and do something with it ... so you would need to set it for the user that starts whatever service you are trying to protect, if that daemon actually uses the variable.
Just because a variable does something in httpd, that does not mean the same variable means the same thing to sshd or any other daemon.
its in openssl itself (rhel5/6)
http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozli...
IMO, the same above would also apply for e. g. /etc/sysconfig/ldap ...
-- LF
On 25.9.2012 00:37, Leon Fauster wrote:
Am 24.09.2012 um 23:49 schrieb Johnny Hughes:
On 09/24/2012 06:07 AM, Markus Falb wrote:
Hi, Some of you have heard of CRIME, probably.
from https://bugzilla.redhat.com/show_bug.cgi?id=857051
Adding the following line to the /etc/sysconfig/httpd file:
export OPENSSL_NO_DEFAULT_ZLIB=1
But there are other services but http that use ssl and are vulnerable? What is the optimal place for setting this environment variable system wide?
I tried to set it in /etc/profile.d/CRIME.sh /etc/bashrc without success.
The setting only matters if programs look for it and do something with it ... so you would need to set it for the user that starts whatever service you are trying to protect, if that daemon actually uses the variable.
Just because a variable does something in httpd, that does not mean the same variable means the same thing to sshd or any other daemon.
its in openssl itself (rhel5/6)
http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozli...
IMO, the same above would also apply for e. g. /etc/sysconfig/ldap ...
That was my understanding too. And instead of fixing X services I would like to fix it for all services at once in one central location.
One could do it in /etc/init.d/functions maybe, but I doubt that it would survive an update of initscripts.
Now that ssl compression got security relevant, maybe the openssl default should be changed. Default off, enabled only explicit. Leon, I know you suggested building a custom openssl package in an earlier message, but to be honest, I am not very enthusiastic about maintaining my own openssl. Maybe an upstream bugzilla should be filed.
Another related question: What services are vulnerable to CRIME or the concepts behind CRIME and what services are not. Everyone is only talking about http. For example I think that smtp is not vulnerable if it does not support smtp auth, or maybe ftp is not vulnerable because it does a separate data channel, and so on...
Markus Falb wrote:
On 25.9.2012 00:37, Leon Fauster wrote:
Am 24.09.2012 um 23:49 schrieb Johnny Hughes:
On 09/24/2012 06:07 AM, Markus Falb wrote:
Hi, Some of you have heard of CRIME, probably.
<snip> Reading this thread, I finally looked it up. This was my best hit: http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor, which I thought y'all might find interesting.
mark
-
Albert McCann -
Johnny Hughes -
Leon Fauster -
m.roth@5-cent.us -
Markus Falb