Ssl – How to disable SSL/TLS compression in Apache 2.2.16

apache-2.2compressionSecuritysslwindows-server-2008

I have one sever running on Apache 2.2.16. I run the VA scanner on the server. According to the VA report it is recommended that SSL/TLS compression should be off.
I tried to search google, but didnt find any helpful. Can anybody tell me how to set it off in Apache 2.2.16 without upgrading the version.

Best Answer

Sometimes, even with the latest version of Apache, if the current openssl library is not enough recent, the server returns the following error:

Invalid command 'SSLCompression', perhaps misspelled or defined by a module not included in the server configuration.

In this case you can disable the compression exporting the following variable before start Apache httpd server:

export OPENSSL_NO_DEFAULT_ZLIB=1

I have found the suggestion here:

Related Solutions

Ssl – Force SMTP authentication to use SSL/TLS with Plesk’s Qmail SMTP server

I didn't know I could just run Plesk's autoinstaller (/opt/psa/admin/bin/autoinstaller) and replace Qmail with Postfix. With postfix, I simply enabled smtpd_tls_auth_only and it's done.

Apache – Disable SSLCompression to Defend Against CRIME/BEAST

On March 4, 2013, Red Hat provided updated OpenSSL packages which address this issue. You can receive them through your normal update channels.

The original answer was:

Red Hat has not provided an updated package which provides this functionality, though there is a workaround available. Edit the /etc/sysconfig/httpd file and add this line to it:

export OPENSSL_NO_DEFAULT_ZLIB=1

Then restart Apache:

service httpd restart

This will cause OpenSSL, which provides crypto functions for Apache, to not offer compression.

Best Answer

Related Solutions

Ssl – Force SMTP authentication to use SSL/TLS with Plesk’s Qmail SMTP server

Apache – Disable SSLCompression to Defend Against CRIME/BEAST

Related Topic