[CentOS] SSL CRIME

Mon Sep 24 21:49:02 UTC 2012
Johnny Hughes <johnny at centos.org>

On 09/24/2012 06:07 AM, Markus Falb wrote:
> Hi,
> Some of you have heard of CRIME, probably.
>
> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>> Adding the following line to the /etc/sysconfig/httpd file:
>>
>>   export OPENSSL_NO_DEFAULT_ZLIB=1
> But there are other services but http that use ssl and are vulnerable?
> What is the optimal place for setting this environment variable system wide?
>
> I tried to set it in
> /etc/profile.d/CRIME.sh
> /etc/bashrc
> without success.

The setting only matters if programs look for it and do something with
it ... so you would need to set it for the user that starts whatever
service you are trying to protect, if that daemon actually uses the
variable.

Just because a variable does something in httpd, that does not mean the
same variable means the same thing to sshd or any other daemon.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20120924/37710869/attachment-0005.sig>