Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   SSL CRIME (http://www.linux-archive.org/centos/706882-ssl-crime.html)

Markus Falb 09-24-2012 11:07 AM

SSL CRIME
 
Hi,
Some of you have heard of CRIME, probably.

from https://bugzilla.redhat.com/show_bug.cgi?id=857051
> Adding the following line to the /etc/sysconfig/httpd file:
>
> export OPENSSL_NO_DEFAULT_ZLIB=1

But there are other services but http that use ssl and are vulnerable?
What is the optimal place for setting this environment variable system wide?

I tried to set it in
/etc/profile.d/CRIME.sh
/etc/bashrc
without success.
--
Kind Regards, Markus Falb

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Leon Fauster 09-24-2012 01:50 PM

SSL CRIME
 
Am 24.09.2012 um 13:07 schrieb Markus Falb:
> Hi,
> Some of you have heard of CRIME, probably.
>
> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>> Adding the following line to the /etc/sysconfig/httpd file:
>>
>> export OPENSSL_NO_DEFAULT_ZLIB=1
>
> But there are other services but http that use ssl and are vulnerable?
> What is the optimal place for setting this environment variable system wide?
>
> I tried to set it in
> /etc/profile.d/CRIME.sh
> /etc/bashrc
> without success.


the corresponding patch mentioned in the bz above could be adapted and the openssl package recompiled.

--
LF



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

"Albert McCann" 09-24-2012 08:26 PM

SSL CRIME
 
> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf Of Markus Falb
> Sent: Monday, September 24, 2012 7:07 AM
> To: centos@centos.org
> Subject: [CentOS] SSL CRIME
>
> Hi,
> Some of you have heard of CRIME, probably.
>
> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
> > Adding the following line to the /etc/sysconfig/httpd file:
> >
> > export OPENSSL_NO_DEFAULT_ZLIB=1
>
> But there are other services but http that use ssl and are vulnerable?
> What is the optimal place for setting this environment variable system
> wide?
>
> I tried to set it in
> /etc/profile.d/CRIME.sh
> /etc/bashrc
> without success.

What about placing it in the /etc/rc.d/rc.local file?

Al McCann
---
My computer was sold to me by Mad Man Muntz.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Johnny Hughes 09-24-2012 09:49 PM

SSL CRIME
 
On 09/24/2012 06:07 AM, Markus Falb wrote:
> Hi,
> Some of you have heard of CRIME, probably.
>
> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>> Adding the following line to the /etc/sysconfig/httpd file:
>>
>> export OPENSSL_NO_DEFAULT_ZLIB=1
> But there are other services but http that use ssl and are vulnerable?
> What is the optimal place for setting this environment variable system wide?
>
> I tried to set it in
> /etc/profile.d/CRIME.sh
> /etc/bashrc
> without success.

The setting only matters if programs look for it and do something with
it ... so you would need to set it for the user that starts whatever
service you are trying to protect, if that daemon actually uses the
variable.

Just because a variable does something in httpd, that does not mean the
same variable means the same thing to sshd or any other daemon.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Leon Fauster 09-24-2012 10:37 PM

SSL CRIME
 
Am 24.09.2012 um 23:49 schrieb Johnny Hughes:
> On 09/24/2012 06:07 AM, Markus Falb wrote:
>> Hi,
>> Some of you have heard of CRIME, probably.
>>
>> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>>> Adding the following line to the /etc/sysconfig/httpd file:
>>>
>>> export OPENSSL_NO_DEFAULT_ZLIB=1
>> But there are other services but http that use ssl and are vulnerable?
>> What is the optimal place for setting this environment variable system wide?
>>
>> I tried to set it in
>> /etc/profile.d/CRIME.sh
>> /etc/bashrc
>> without success.
>
> The setting only matters if programs look for it and do something with
> it ... so you would need to set it for the user that starts whatever
> service you are trying to protect, if that daemon actually uses the
> variable.
>
> Just because a variable does something in httpd, that does not mean the
> same variable means the same thing to sshd or any other daemon.




its in openssl itself (rhel5/6)

http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2

IMO, the same above would also apply for e. g. /etc/sysconfig/ldap ...

--
LF









_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Markus Falb 09-25-2012 12:45 PM

SSL CRIME
 
On 25.9.2012 00:37, Leon Fauster wrote:
> Am 24.09.2012 um 23:49 schrieb Johnny Hughes:
>> On 09/24/2012 06:07 AM, Markus Falb wrote:
>>> Hi,
>>> Some of you have heard of CRIME, probably.
>>>
>>> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>>>> Adding the following line to the /etc/sysconfig/httpd file:
>>>>
>>>> export OPENSSL_NO_DEFAULT_ZLIB=1
>>> But there are other services but http that use ssl and are vulnerable?
>>> What is the optimal place for setting this environment variable system wide?
>>>
>>> I tried to set it in
>>> /etc/profile.d/CRIME.sh
>>> /etc/bashrc
>>> without success.
>>
>> The setting only matters if programs look for it and do something with
>> it ... so you would need to set it for the user that starts whatever
>> service you are trying to protect, if that daemon actually uses the
>> variable.
>>
>> Just because a variable does something in httpd, that does not mean the
>> same variable means the same thing to sshd or any other daemon.
>
>
>
>
> its in openssl itself (rhel5/6)
>
> http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2
>
> IMO, the same above would also apply for e. g. /etc/sysconfig/ldap ...

That was my understanding too. And instead of fixing X services I would
like to fix it for all services at once in one central location.

One could do it in /etc/init.d/functions maybe, but I doubt that it
would survive an update of initscripts.

Now that ssl compression got security relevant, maybe the openssl
default should be changed. Default off, enabled only explicit. Leon, I
know you suggested building a custom openssl package in an earlier
message, but to be honest, I am not very enthusiastic about maintaining
my own openssl. Maybe an upstream bugzilla should be filed.

Another related question: What services are vulnerable to CRIME or the
concepts behind CRIME and what services are not. Everyone is only
talking about http. For example I think that smtp is not vulnerable if
it does not support smtp auth, or maybe ftp is not vulnerable because it
does a separate data channel, and so on...
--
Kind Regards, Markus Falb

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Markus Falb 09-25-2012 01:01 PM

SSL CRIME
 
On 24.9.2012 22:26, Albert McCann wrote:
>> -----Original Message-----
>> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
>> Behalf Of Markus Falb
>> Sent: Monday, September 24, 2012 7:07 AM
>> To: centos@centos.org
>> Subject: [CentOS] SSL CRIME
>>
>> Hi,
>> Some of you have heard of CRIME, probably.
>>
>> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>>> Adding the following line to the /etc/sysconfig/httpd file:
>>>
>>> export OPENSSL_NO_DEFAULT_ZLIB=1
>>
>> But there are other services but http that use ssl and are vulnerable?
>> What is the optimal place for setting this environment variable system
>> wide?
>>
>> I tried to set it in
>> /etc/profile.d/CRIME.sh
>> /etc/bashrc
>> without success.
>
> What about placing it in the /etc/rc.d/rc.local file?

$ ls -l /etc/rc3.d/S99local
lrwxrwxrwx. 1 root root 11 18. Sep 09:08 /etc/rc3.d/S99local -> ../rc.local

It is too late, isn't it?
--
Kind Regards, Markus Falb

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 11:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.