While checkig my apache instance for teh hearbeat attack at https://www.ssllabs.com/ssltest it reported I have vulnerability: TLS compression Yes INSECURE (more info) seems to be known also as CRIME: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls The blog has two solutions, I edited my /etc/apache2/modules.d/40_mod_ssl.conf and after re-testing using https://www.ssllabs.com/ssltest the vulnerability is now gone. It is out of my knowledge whether forcing something like USE=-zlib would do the same, especially as it could disable webserver's ability to compress plaintext files before sending them to browsers for display. You are the experts, me not.
Reassigning to the maintainers, sorry about the delay. Also see bug 506924.
This was now committed to our apache git repository: http://git.overlays.gentoo.org/gitweb/?p=proj/apache.git;a=commitdiff;h=9154fa2d2a6b8f0b59c5b1d83c8186a4249d7f8f
+*apache-2.4.9-r1 (20 Apr 2014) +*apache-2.2.27-r1 (20 Apr 2014) + + 20 Apr 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.26.ebuild, + +apache-2.2.27-r1.ebuild, -apache-2.4.9.ebuild, +apache-2.4.9-r1.ebuild: + Revbump fixing bug #506924 and bug #507324. Removed old. +
After the upgrade to 2.4.9-r1 my apache failed to restart: apache2 |Invalid command 'SSLCompression', perhaps misspelled or defined by a module not included in the server configuration I'm not using SSL, so mod_ssl is not loaded and this directive can't be used. Can be trivialy fixed by moving it before the </IfDefine>, like the rest of 40_mod_ssl.conf
+*apache-2.4.9-r2 (21 Apr 2014) +*apache-2.2.27-r2 (21 Apr 2014) + + 21 Apr 2014; Lars Wendler <polynomial-c@gentoo.org> -apache-2.2.27-r1.ebuild, + +apache-2.2.27-r2.ebuild, -apache-2.4.9-r1.ebuild, +apache-2.4.9-r2.ebuild: + Moved SSLCompression into the IfDefine. + Sorry for the inconveniences. This is a perfect example how mistakes can be overseen as I had these changes reviewed by four other people.
No problem. I can easily see how that slipped through testing and if its fixed as fast as in this case, I really do not have any complains. Thanks!
The default for SSLCompression is "off" in all of our Apache versions: * http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression * http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression (it changed in 2.2.26). So if you'd like to reduce the noise in the default config, this can be removed again.
No, I think it is helpfull to keep them in, it is too easy for a user to enable it and we should educate them NOT to do it. Only worse the defaults changed between minor versions. You could also argument that users are supposed to switch to 2.4 where it is disabled ... no, I think this is just wrong argumentation. They simply have to be made aware of that so it should stay in. Thanks.
