October 2019
M T W T F S S
« Aug    
 123456
78910111213
14151617181920
21222324252627
28293031  

Categories

WordPress Quotes

The only man who never makes mistakes is the man who never does anything.
Theodore Roosevelt
October 2019
M T W T F S S
« Aug    
 123456
78910111213
14151617181920
21222324252627
28293031  

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (211)
Centos RHEL 7 (268)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (30)
Eassy (11)
ELKS (1)
EXCHANGE (3)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (1)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (7)
Ldap (5)
Linux (188)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (35)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (62)
Uncategorized (30)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

22 visitors online now
8 guests, 14 bots, 0 members

Hit Counter provided by dental implants orange county

How to fix mod_ssl CRIME CVE-2012-4929 SSL/TLS CRIME

How can we mitigate CVE-2012-4929 SSL/TLS CRIME attack against HTTPS in Red Hat Enterprise Linux 5 or 6

  • httpd refuses to start when SSLCompression on is used in /etc/httpd/conf.d/ssl.conf
  • How can we mitigate CVE-2012-4929 SSL/TLS CRIME attack against HTTPS in Red Hat Enterprise Linux 5 or 6 on httpd and mod_ssl?

will focus only on fixing the problem. On RHEL server 5.x and 6.x the easy way is to simply disable SSL compression.
In newer Apache versions this can be done using the cmd: “SSLCompression off”

But in RHEL this will not work and you will get the following error
“Invalid command ‘SSLCompression’, perhaps misspelled or defined by a module not included in the server configuration”

As described in RHEL support site the way to do is:

Add the following to “export OPENSSL_NO_DEFAULT_ZLIB=1? /etc/sysconfig/httpd and then restart the service, like:

export OPENSSL_NO_DEFAULT_ZLIB=1

# echo “export OPENSSL_NO_DEFAULT_ZLIB=1? >> /etc/sysconfig/httpd
# service httpd restart

 

openssl s_client -connect localhost:443

.
-bash-4.1# openssl s_client -connect localhost:443
CONNECTED(00000003)
depth=0 C = –, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = mohan111, emailAddress = root@mohan111
verify error:num=18:self signed certificate
verify return:1
depth=0 C = –, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = mohan111, emailAddress = root@mohan111
verify return:1

Certificate chain
0 s:/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=mohan111/emailAddress=root@mohan111
i:/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=mohan111/emailAddress=root@mohan111

Server certificate
—–BEGIN CERTIFICATE—–
MIIDCzCCAnSgAwIBAgICRhAwDQYJKoZIhvcNAQEFBQAwgaExCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MREwDwYDVQQDDAh0YWdpdDExMTEcMBoGCSqGSIb3DQEJARYNcm9vdEB0YWdp
dDExMTAeFw0xMzEwMTcxMzA1NTBaFw0xNDEwMTcxMzA1NTBaMIGhMQswCQYDVQQG
EwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZMBcG
A1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXphdGlv
bmFsVW5pdDERMA8GA1UEAwwIdGFnaXQxMTExHDAaBgkqhkiG9w0BCQEWDXJvb3RA
dGFnaXQxMTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJvMjBwCChoJH74j
dPECdB+saT/HqMtRP7w2cGi/G+7/VmNfFMLN3VqDMuUiAwXBSMrhDDhBO69+aMvj
oZHupGgVLTAzRJa9uP9PquFfjOuxEUvnKzlg0gwCqWH06GCu0ZcooIsduTRLOE9X
tbSgN2snQ00XEV1Xl9niWgvKFUnxAgMBAAGjUDBOMB0GA1UdDgQWBBQpJ2Y+9O+d
knVbGpff1za/RE6ngzAfBgNVHSMEGDAWgBQpJ2Y+9O+dknVbGpff1za/RE6ngzAM
BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAHp1LU5VuP/b4euNRJdvK0eu
vxi8STrqmUOuQ90v1jZgqMaLT1/tQ/5+h2E5gUDL4pdi7IoTldB3xBcfR8vvnfgC
cOvRmqIyUFgDeULFNk+lcFq0FdDIm/AbZxAT5hlQZU5EQUfkws5qerwmOlp9Gs2n
WPmDOjcmvTWsrSevbyQU
—–END CERTIFICATE—–
subject=/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=mohan111/emailAddress=root@mohan111
issuer=/C=–/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=mohan111/emailAddress=root@mohan111

No client certificate CA names sent

SSL handshake has read 1533 bytes and written 310 bytes

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher    : DHE-RSA-AES256-SHA
Session-ID: 11311947FC0F863B4646C035BFB7E84BBDE6E263B43D50318E253FDDF970F9C1
Session-ID-ctx:
Master-Key: 3C4E725A784B5412E40F9502159639C73611DCD3A5515F6E3132545458F0032A1812FA563BAEC15CF24689577C128B76
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 – 91 88 07 7a aa ac 4e c5-9c a5 21 7d a3 d6 fc d9   …z..N…!}….
0010 – 90 3e bd 2d a3 c3 3b 1d-98 10 30 32 d9 27 46 8e   .>.-..;…02.’F.
0020 – 18 77 d5 31 41 d0 9f c5-21 6b 37 92 32 fb d0 7b   .w.1A…!k7.2..{
0030 – 63 f7 5a 1c d3 24 92 f7-1c 3f 35 f2 a3 04 75 87   c.Z..$…?5…u.
0040 – 68 eb 01 06 62 18 26 1e-83 f0 4a e6 f1 bb 12 cc   h…b.&…J…..
0050 – f0 35 e8 fa ee 50 c0 0c-4f 6e a7 c4 e2 10 27 ee   .5…P..On….’.
0060 – 66 4b 7c bf 96 36 a9 c4-90 3c 62 f5 96 d9 ca d6   fK|..6…<b…..
0070 – 7a 33 b5 d4 2d ec fd 89-58 61 de cb d0 b0 8a ec   z3..-…Xa……
0080 – d2 a6 14 de 92 8a 58 9f-d4 71 e4 95 c7 9c 94 09   ……X..q……
0090 – 65 a1 b6 7c a2 93 b4 60-00 d6 da 81 ea 0a 6d 48   e..|…`……mH
00a0 – ff 51 d1 94 b3 66 7d 7a-28 5c a4 7a c3 74 61 1b   .Q…f}z(\.z.ta.
00b0 – d5 61 52 06 10 f3 c4 a8-13 eb 3c 35 e3 44 56 5c   .aR…….<5.DV\

Start Time: 1382016174
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

Blue Captcha Image
Refresh

*

Protected by WP Anti Spam