piątek, 12 kwietnia 2013

Kompresja w SSL/RedHat/CentOS


Copy/Paste z tego linka:

https://bugzilla.redhat.com/show_bug.cgi?id=857051

OpenSSL enables zlib compression by default for both clients and servers starting with version 0.9.8:
The openssl packages in Red Hat Enterprise Linux 5 (starting with RHBA-2009:0181 update released in Red Hat Enterprise Linux 5.3) and 6, and also in Fedora, contain a patch that makes the library check if OPENSSL_NO_DEFAULT_ZLIB environment variable is set (can have arbitrary value, even empty string) and disable the default zlib support.

Setting the OPENSSL_NO_DEFAULT_ZLIB environment variable before starting a client or a server application using OpenSSL can be used to disable zlib compression support and hence mitigate this flaw.  For example, httpd with mod_ssl has compression enabled by default in Red Hat Enterprise Linux 5 and 6, and hence it is used when client also supports it.  Adding the following line to the /etc/sysconfig/httpd file:

  export OPENSSL_NO_DEFAULT_ZLIB=1

and restarting the httpd service disables the use of SSL/TLS compression in mod_ssl and the compression will not be negotiated even when connecting client supports it.  Note that this environment variable only affects the use of SSL/TLS protocol compression and does not affect the use of HTTP protocol compression implemented by the mod_deflate module.

The openssl packages in Red Hat Enterprise Linux 3 and 4 are based on upstream version 0.9.7a and do not enable SSL/TLS zlib compression.

Brak komentarzy: